Enable button for Vulnerability-Check does not appear when expected after enabling Container Scanning or API Fuzzing
Summary
The Enable button does not always appear next to the Vulnerability-Check
security approval when expected. In the docs on enabling security approvals we say:
To enable the
Vulnerability-Check
orLicense-Check
Security Approvals, a project approval rule must be created. A security scanner job must be enabled forVulnerability-Check
, and a license scanning job must be enabled forLicense-Check
. When the proper jobs aren’t configured, the following appears:
The security scanner job links to a list of that includes Container Scanning (Container-Scanning.gitlab-ci.yml
). After including the Container-Scanning.gitlab-ci.yml
template and observing that the container_scanning
job completes successfully, the Enable button does not appear next to the Vulnerability-Check security approval rule. The Enable button does appear as expected when including templates like Dependency-Scanning.gitlab-ci.yml
or Coverage-Fuzzing.gitlab-ci.yml
.
Steps to reproduce
- Build a
.gitlab-ci.yml
that builds and pushes a Docker image to that project's container registry. (The example in the Container Scanning docs is a good start.) - Include the
Container-Scanning.gitab-ci.yml
template in the.gitlab-ci.yml
. - Run a pipeline in the default branch
- Observe that the
container_scanning
job is successful - Browse to Settings > General and expand Merge request (MR) approvals
- Observe that the Enable button does not appear next to Vulnerability-Check
The docs indicate that the Enable button should now be present but it isn't. Repeat the steps above with API-Fuzzing.gitlab-ci.yml
to observe the same results (no Enable button).
If I do something similar with Dependency-Scanning.gitlab-ci.yml
instead of Container-Scanning.gitlab-ci.yml
, the Enable button does appear as expected. The customer who reported this is inquiring about making use of Container Scanning. See the table at the bottom of the issue for more info about the security scanners that I tested and which ones exhibit this behavior.
Example Project
This is happening in gitlab-gold/briecarranza/tickets/vulnerability-check/container-scanning which is a fork of greg/container-scanning where the unexpected behavior also happens. I was able to readily reproduce the behavior with a fork of this project.
-
pipelines for
gitlab-gold/briecarranza/tickets/vulnerability-check/container-scanning
The .gitlab-ci.yml
looks like this:
variables:
DOCKER_DRIVER: overlay2
CLAIR_OUTPUT: High
stages:
- build
- test
build:
image: docker:stable
stage: build
services:
- docker:19.03.12-dind
variables:
IMAGE: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA
script:
- docker info
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
- docker build -t $IMAGE .
- docker push $IMAGE
include:
- template: Container-Scanning.gitlab-ci.yml
What is the current bug behavior?
The Enable button does not appear next to Vulnerability-Check
.
What is the expected correct behavior?
The Enable button should appear next to Vulnerability-Check
.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com.
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
In the steps to reproduce section, I noted:
If I do something similar with
Dependency-Scanning.gitlab-ci.yml
instead ofContainer-Scanning.gitlab-ci.yml
, the Enable button does appear as expected.
Here's some more detail on that:
Template | Does 'Enable' appear next to Vulnerability-Check when template is included and jobs pass? | Example Project |
---|---|---|
Container-Scanning.gitlab-ci.yml |
No | https://gitlab.com/gitlab-gold/briecarranza/tickets/vulnerability-check/container-scanning |
API-Fuzzing.gitlab-ci.yml |
No | https://gitlab.com/gitlab-gold/briecarranza/tickets/vulnerability-check/api-fuzzing |
Dependency-Scanning.gitlab-ci.yml |
Yes | https://gitlab.com/gitlab-gold/briecarranza/tickets/vulnerability-check/dependency-scanning |
Security/Secret-Detection.gitlab-ci.yml |
Yes | https://gitlab.com/gitlab-gold/briecarranza/tickets/vulnerability-check/secret-detection |
Coverage-Fuzzing.gitlab-ci.yml |
Yes | https://gitlab.com/gitlab-gold/briecarranza/tickets/vulnerability-check/coverage-fuzzing |