Add service that extends .gitlab-ci.yml configuration with DAST security scans
Why are we doing this work
While we were working on Research Spike in scope of #270880 (closed) and #280315 (closed) we have noticed the need for the service that could take the GitLab CI configuration from the repository and then extend it to either add DAST scan to configuration or to have only DAST security scans in the configuration.
YAML with proposed policy: (policy must reside in .gitlab/security-policies/policy.yml
)
scan_execution_policy:
- name: Run DAST in every pipeline
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "production"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
We need a service that will be able:
- take GitLab CI configuration as a parameter,
- take a list of scans to run in parameters list (but support DAST only for now),
Example of the code that could be reused here:
-
Ci::RunDastScanService
=> https://gitlab.com/gitlab-org/gitlab/blob/master/ee/app/services/ci/run_dast_scan_service.rb - or similar to
extend_config
method from this service:
Relevant links
Non-functional requirements
- [-] Documentation: Since we will only work on internal services we do not need documentation.
- [-] Feature flag: No need to have feature flag for internal service.
- [-] Performance:
-
Testing: Unit tests
Implementation plan
-
backend Create ff security_orchestration_policies
-
backend Implement service that will take current GitLab CI configuration, list of security scans and flag to extend/replace CI config that will take GitLab CI configuration and modify it to have DAST scan templates included. -
backend Use new service in CI Processor
Edited by Alan (Maciej) Paruszewski