GraphQL SecurityScanners does not show enabled for group-enforced scan execution policy scans

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Summary

The SecurityScanners GraphQL query is able to report on whether a project has an enabled security scanner or not. When a project has a scheduled scan execution policy, this does not appear to report the status of a security scanner, even if the scan execution policy runs one or more applicable jobs. This does not impact or effect the scan execution policy, but can provide a false identifier for users make GraphQL queries on the state of a project's enabled scanners.

Steps to reproduce

1. Create a group.
2. Create a project beneath the group.
3. On the group, create a scheduled scan execution policy. You can refer to the example YAML configuration below for an example.
4. In the project, create some content that will trigger an alert for the Dependency Scanning tool. Refer to the public project linked below.
5. Ensure the project has run at least one pipeline, and that the Security Dashboard displays the vulnerability.

Example YAML file to run the scan execution policy every 15 minutes

---
scan_execution_policy:
- name: Scheduled
  description: ''
  enabled: true
  rules:
  - type: schedule
    cadence: "*/15 * * * *"
    branch_type: all
  actions:
  - scan: dependency_scanning
    tags:
    - security

Example Project

This project has been created on GitLab.com to reproduce the issue. Please tag me if you'd like full access to view and manage settings. An active vulnerability is present:

You can query with GraphQL explorer using this query:

{
  projects(ids:"gid://gitlab/Project/51588968") {
    ... on ProjectConnection {
      nodes {
        webUrl
        id
        nameWithNamespace
        path
        name
        archived
        jobsEnabled
        createdAt
        statistics {
          repositorySize
        }
        securityScanners {
          enabled
        }
        scanExecutionPolicies(first:5,relationship:INHERITED){
          nodes{
            name
            enabled
          }
        }
      }
    }
  }
}

An appropriate response is received that does confirm a Scan Execution Policy is enabled, but the value for securityScanners enabled is empty:

{
  "data": {
    "projects": {
      "nodes": [
        {
          "webUrl": "https://gitlab.com/benjaminking_ultimate_group/463743/project",
          "id": "gid://gitlab/Project/51588968",
          "nameWithNamespace": "benjaminking Ultimate Group / 463743 / project",
          "path": "project",
          "name": "project",
          "archived": false,
          "jobsEnabled": true,
          "createdAt": "2023-10-26T03:43:10Z",
          "statistics": {
            "repositorySize": 3861
          },
          "securityScanners": {
            "enabled": []
          },
          "scanExecutionPolicies": {
            "nodes": [
              {
                "name": "Scheduled",
                "enabled": true
              }
            ]
          }
        }
      ]
    }
  }
}

What is the current bug behavior?

GraphQL does not indicate that this project is subject to a Dependency Scanning tool. We would expect this to be presented as:

"securityScanners": {
            "enabled": [
              "DEPENDENCY_SCANNING"
            ]
          },

What is the expected correct behavior?

The Security Scanner should consider what scan execution policy enforcement is applied to the project, and show the relevant scanner if applicable.

Output of checks

This bug happens on GitLab.com

Possible fixes

This comment in a confidential issue indicates a number of checks that take place to consider whether the pipeline/job is in a state where we should consider if Security Scanning is enabled.