Manual migration from Vulnerability-Check rules to Scan Result Policies
Problem to solve
With %15.0 we are removing Vulnerability-Check
rules and we will support Scan Result Policies
only. We have tried the automatic migration for many users, but unfortunately it was successful only for 5% customers and we have received feedback that this automated migration was not desirable (#362553 (closed)).
With this issue we would like to prepare document (and automated script) that can be used to proceed with migration process for Vulnerability-Check
.
Further details
Slack thread (internal only): https://gitlab.slack.com/archives/C01B9MBNW6T/p1652742818207329
For such a customer, I'd definitely investigate a scripting approach. The policy is a yml file in a repository. The steps would be:
- Create the policy management repository (there's a graphql mutation to create it)
- (optional) Associate any extra projects with the management repository above (I believe there's also a graphql mutation for this)
- Create the yml file
- Submit and merge the MR to activate the policy
Proposal
How to migrate to Scan Result Policies using the UI only?
- Go to your project page.
- From the menu select Security & Compliance -> Policies
- Click on the New Policy button and select Scan Result Policy:
- Use the UI to create policy (Rule mode) or select .yaml mode (documentation); you can use this to prepare YAML file:
- Click Configure with a merge request button, this will create new Security Policy Project and the MR with updated policy that you can merge and your policy will be applied.
- If you want to reuse this policy for other projects, you can select this Security Policy Project for them:
- Go to another project page.
- Click Edit policy project
- Select your Security Policy Project from the dropdown.
- Click Save button to save your changes.
How to migrate to Scan Result Policies using the automated script?
Demo for this migration was recorded and is available here: https://youtu.be/biU1N26DfBc
Automated script can be found here: $2328089
To execute the script you need to have Ruby 2.7+ installed, however you can also run this script within Docker container:
docker run --rm -it ruby:2.7 sh
$ gem install graphql-client
$ wget https://gitlab.com/gitlab-org/gitlab/-/snippets/2328089/raw/main/generate.rb https://gitlab.com/gitlab-org/gitlab/-/snippets/2328089/raw/main/policies.yml
$ GITLAB_TOKEN="______" ruby ./generate.rb ./policies.yml
To generate the GITLAB_TOKEN
, go to https://gitlab.com/-/profile/personal_access_tokens and create new token with api
scope (documentation).
NOTE:
You can run this script for instances of GitLab different than GitLab.com, by specifying GITLAB_API_URI
variable (ie. GITLAB_API_URI=https://my-other-gitlab-instance.example.com
)
To run the script you need to prepare policies.yml
file with details about your projects:
policies:
- create_security_policy_project_paths: # projects provided in this list will be used to create policy projects
- gitlab-org/protect/demos/sandbox/test-policy-create-2
# security_policy_project_path: gitlab-org/protect/demos/sandbox/test-policy-create-security-policy-project
unassign_security_policy_project_paths: # projects provided in this list will have unassigned projects first
- gitlab-org/protect/demos/sandbox/test-policy-create-2
- gitlab-org/protect/demos/sandbox/test-policy-create-3
- gitlab-org/protect/demos/sandbox/test-policy-create-4
- gitlab-org/protect/demos/sandbox/test-policy-create-5
assign_security_policy_project_paths: # it will take the last created project from create_security_policy_project_paths list or it will use security_policy_project_path if provided
- gitlab-org/protect/demos/sandbox/test-policy-create-3
- gitlab-org/protect/demos/sandbox/test-policy-create-4
- gitlab-org/protect/demos/sandbox/test-policy-create-5
yaml:
type: scan_result_policy
name: Vulnerability-Check
enabled: true
rules:
- type: scan_finding
scanners:
- sast
- secret_detection
- dependency_scanning
- container_scanning
- dast
- coverage_fuzzing
- api_fuzzing
branches:
- main
vulnerability_states:
- newly_detected
- detected
- confirmed
- resolved
- dismissed
vulnerabilities_allowed: 10
severity_levels:
- info
- unknown
- low
- medium
- high
- critical
actions:
- type: require_approval
approvals_required: 1
user_approvers:
- mparuszewski
policies.yml
file format
policies
field
You can create multiple policies that you can use to automate Scan Result Policy creation in your projects.
Each policy
has these fields:
create_security_policy_project_paths
field
You can provide a list of project
paths and for each project
defined in this list, the script will create Security Policy project and apply policy from yml
field.
security_policy_project_path
field
Alternatively to create_security_policy_paths
you can provide already created project that you can use to assign as a Security Policy Project to projects defined in assign_security_policy_project_paths
list.
unassign_security_policy_project_paths
field
You can provide a list of projects where you would like to unassign Security Policy Project. This could be useful if you want to revert your changes made by automated script.
assign_security_policy_project_paths
field
You can provide a list of project
paths and for each project
defined in this list, the script will assign Security Policy Project. If security_policy_project_path
is provided, then it will be used as a Security Policy Project, otherwise Security Policy Project created for the last project in create_security_policy_project_paths
list will be used.
yaml
field
This field contains Scan Result Policy that you would like to create for your project. The format for this field is the same as in the Policies UI editor (.yaml editor).
After you prepare your script, you can run it:
ruby ./generate.rb ./policies.yml
This will start the script and in the output you will see the progress of the script. When script is successful it will generate and present the link to create MRs (Create new MR with link:
):
Processing policy 0...
Creating Security Policy Project for gitlab-org/protect/demos/sandbox/test-policy-create-2... Finished: gid://gitlab/Project/36324119
Creating MR with updated policy in Security Policy Project for gitlab-org/protect/demos/sandbox/test-policy-create-2... Finished.
Create new MR with link: https://gitlab.com/gitlab-org/protect/demos/sandbox/test-policy-create-2-security-policy-project/-/merge_requests/new?merge_request%5Bsource_branch%5D=update-policy-1652993275
Assigning Security Policy Project (gid://gitlab/Project/36324119) for gitlab-org/protect/demos/sandbox/test-policy-create-3... Finished.
Assigning Security Policy Project (gid://gitlab/Project/36324119) for gitlab-org/protect/demos/sandbox/test-policy-create-4... Finished.
Assigning Security Policy Project (gid://gitlab/Project/36324119) for gitlab-org/protect/demos/sandbox/test-policy-create-5... Finished.
You need to click on this link, create the MR and merge it to apply your policy. This allows you to double-check if created policy is what you initially wanted.