Change default Dependency Scanning templates to make scanning jobs fail (allowed to fail) when vulnerabilities detected
Problem to solve
Once all the Dependency Scanning analyzers are updated to exit with a non-zero exit code when vulnerabilities are found, we need to change the Dependency Scanning CI template.
Proposal
Change the Dependency Scanning CI template
- to enable the new behavior, and make the scanning job exit with a non-zero exit code when vulnerabilities are found
- to allow the job failure when vulnerabilities are found
This is done by changing the definition of .ds-analyzer
in the CI template:
- update the
variables
, and set the variable that changes the behavior - don't set
allow_failure
totrue
, but instead set allow_failure:exit_codes so that it matches the exit code returned when vulnerabilities are found
The new environment variable that changes the behavior and the new exit codes for when vulnerabilities are found are specified in #324634 (closed).
See experiment in gitlab-org/security-products/tests/ruby-bundler!1264 (diffs)
Implementation plan
-
Change the Dependency Scanning CI template
Links
See specs in design issue: #324634 (closed)
Edited by Fabien Catteau