Enable button for Vulnerability-Check does not appear when expected after enabling Container Scanning or API Fuzzing

Summary

The Enable button does not always appear next to the Vulnerability-Check security approval when expected. In the docs on enabling security approvals we say:

To enable the Vulnerability-Check or License-Check Security Approvals, a project approval rule must be created. A security scanner job must be enabled for Vulnerability-Check, and a license scanning job must be enabled for License-Check. When the proper jobs aren’t configured, the following appears:

https://docs.gitlab.com/ee/user/application_security/img/unconfigured_security_approval_rules_and_jobs_v13_4.png

The security scanner job links to a list of that includes Container Scanning (Container-Scanning.gitlab-ci.yml). After including the Container-Scanning.gitlab-ci.yml template and observing that the container_scanning job completes successfully, the Enable button does not appear next to the Vulnerability-Check security approval rule. The Enable button does appear as expected when including templates like Dependency-Scanning.gitlab-ci.yml or Coverage-Fuzzing.gitlab-ci.yml.

Steps to reproduce

  1. Build a .gitlab-ci.yml that builds and pushes a Docker image to that project's container registry. (The example in the Container Scanning docs is a good start.)
  2. Include the Container-Scanning.gitab-ci.yml template in the .gitlab-ci.yml.
  3. Run a pipeline in the default branch
  4. Observe that the container_scanning job is successful
  5. Browse to Settings > General and expand Merge request (MR) approvals
  6. Observe that the Enable button does not appear next to Vulnerability-Check

The docs indicate that the Enable button should now be present but it isn't. Repeat the steps above with API-Fuzzing.gitlab-ci.yml to observe the same results (no Enable button).

If I do something similar with Dependency-Scanning.gitlab-ci.yml instead of Container-Scanning.gitlab-ci.yml, the Enable button does appear as expected. The customer who reported this is inquiring about making use of Container Scanning. See the table at the bottom of the issue for more info about the security scanners that I tested and which ones exhibit this behavior.

Example Project

This is happening in gitlab-gold/briecarranza/tickets/vulnerability-check/container-scanning which is a fork of greg/container-scanning where the unexpected behavior also happens. I was able to readily reproduce the behavior with a fork of this project.

  • pipelines for gitlab-gold/briecarranza/tickets/vulnerability-check/container-scanning

The .gitlab-ci.yml looks like this:

variables:
  DOCKER_DRIVER: overlay2
  CLAIR_OUTPUT: High

stages:
  - build
  - test

build:
  image: docker:stable
  stage: build
  services:
    - docker:19.03.12-dind
  variables:
    IMAGE: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA
  script:
    - docker info
    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
    - docker build -t $IMAGE .
    - docker push $IMAGE

include:
  - template: Container-Scanning.gitlab-ci.yml

What is the current bug behavior?

The Enable button does not appear next to Vulnerability-Check.

What is the expected correct behavior?

The Enable button should appear next to Vulnerability-Check.

Relevant logs and/or screenshots

Output of checks

This bug happens on GitLab.com.

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

In the steps to reproduce section, I noted:

If I do something similar with Dependency-Scanning.gitlab-ci.yml instead of Container-Scanning.gitlab-ci.yml, the Enable button does appear as expected.

Here's some more detail on that:

Template Does 'Enable' appear next to Vulnerability-Check when template is included and jobs pass? Example Project
Container-Scanning.gitlab-ci.yml No https://gitlab.com/gitlab-gold/briecarranza/tickets/vulnerability-check/container-scanning
API-Fuzzing.gitlab-ci.yml No https://gitlab.com/gitlab-gold/briecarranza/tickets/vulnerability-check/api-fuzzing
Dependency-Scanning.gitlab-ci.yml Yes https://gitlab.com/gitlab-gold/briecarranza/tickets/vulnerability-check/dependency-scanning
Security/Secret-Detection.gitlab-ci.yml Yes https://gitlab.com/gitlab-gold/briecarranza/tickets/vulnerability-check/secret-detection
Coverage-Fuzzing.gitlab-ci.yml Yes https://gitlab.com/gitlab-gold/briecarranza/tickets/vulnerability-check/coverage-fuzzing
Edited by Brie Carranza