Execute scheduled security policy scans in a single pipeline
Why are we doing this work
Currently if we have a scheduled policy like this:
scan_execution_policy:
- name: Scheduled scan
description: description
enabled: true
rules:
- type: schedule
branches:
- master
- feature-a
cadence: */30 * * * *
actions:
- scan: dast
scanner_profile: Scanner Profile A
site_profile: Site Profile B
- scan: secret_detection
There will be 4 pipelines created: secret_detection
for branch master
and feature-a
and dast
for branch master
and feature-a
.
The reason why we cannot create both secret_detection
and dast
on the same pipeline was because we re-use the code from On Demand DAST scans and the pipeline source will be ondemand_dast_scan
and for secret_detection
the source will be security_orchestration_policy
.
Requirements
-
It is desired to have all the jobs for a branch to be executed in a single pipeline instead of multiple pipeline -
dast
scan should be executed in the pipeline with sourcesecurity_orchestration_policy
Implementation plan
-
backend Move the logic of creating a pipeline for each scan in Security::SecurityOrchestrationPolicies::RuleScheduleService
toSecurity::SecurityOrchestrationPolicies::CreatePipelineService
-
backend Use AppSec::Dast::ScanConfigs::BuildService
to create pipeline configuration fordast
scan and setpipeline.dast_profile = dast_profile
similar toCi::RunDastScanService