Introduce a hidden job and anchors into the CI templates

Problem

Users of API Security often copy the template job definition instead of extending. This issue is to try and address some of the reasons a user might copy and modify instead of extending from our template.

API Security is integrated into a customer pipeline by including a template file and using the default job, or extending it. However, their are limits to what can be accomplished through extending a job.

  • Unable to use job name that differs from the default job name
  • Unable to extend sections in the job definition (rules, artifact paths)
    • This is the largest cause of problems

This often causes users to copy our template instead of extending it.

Proposal

NOTE: This approach needs to be tested/validated.

  1. Create a hidden job .dast_api that contains the base job definition
  2. Add yaml anchors to sections that are commonly extended or replaced
  3. Make dast_api default job, an extension of .dast_api
  4. Allow default job dast_api to be disabled through a new variable DAST_API_DISABLE_DEFAULT_JOB
  5. Document various ways to extend/define a DAST API job
  6. Add comments to the template to provide users hints and links into our documentation
.dast_api:
  stage: dast
  image: $SECURE_ANALYZERS_PREFIX/$DAST_API_IMAGE:$DAST_API_VERSION$DAST_API_IMAGE_SUFFIX
  allow_failure: true
  rules: &dast_api_rules
    - if: $DAST_API_DISABLED
      when: never
    - if: $DAST_API_DISABLED_FOR_DEFAULT_BRANCH &&
          $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $CI_GITLAB_FIPS_MODE == "true"
      variables:
        DAST_API_IMAGE_SUFFIX: "-fips"
    - if: $CI_COMMIT_BRANCH
  script:
    - /peach/analyzer-dast-api
  artifacts: &dast_api_artifacts
    when: always
    paths: &dast_api_artifacts_paths
      - gl-assets
      - gl-dast-api-report.json
      - gl-*.log
    reports:
      dast: gl-dast-api-report.json

# To disable the default job...
dast_api:
    extends: .dast_api
    rules:
      - if: $DAST_API_DISABLE_DEFAULT_JOB:
        when: never
      << *dast_api_rules

Example extending the artifact paths to include an overrides json file:

dast_api:
    artifacts:
      << *dast_api_artifacts
      paths:
        << *dast_api_artifacts_path
        - custom_overrides.json
Edited by Michael Eddington