Skip to content

Add "Manage Security Testing" as a customizable permission

Release notes

Group owners and project maintainers have the ability to adjust various security settings. This often leads to a user becoming overprivileged where they may not need other group or project destructive permissions. With the release of this permission, you can create a custom role to allow a Developer (or any base role) plus this permission to manage security scanner (SAST, SD, Dependency scanning, container scanning, DAST, API Security, IaC, etc) configuration settings without being overprivileged.

Background

Group owners and project maintainers have the ability to edit configuration settings. This leads organizations elevating a subset of users who need to manage these settings that as a consequence can edit other Group/Project settings. This permission will allow a custom role such as Developer + this permission offering organizations to reduce Owners and Maintainers in their environment

This permission becomes more important as we build out https://gitlab.com/groups/gitlab-org/-/epics/16190+ and move more scanner configuration to the UI and APIs.

Proposal and User Experience

  1. When creating a role, any base can be selected. A new permission is available and labeled "Manage Security Scanners" that can be selected.
  2. If the user role is targeted at the group level, they will be able to perform Group Actions indicated below to the group and sub groups. This continues to follow the waterfall permission model.
  3. If the user role is targeted at the project level, they can only perform Project Actions indicated below for the project.
  4. The permission actions for admin_security_scanners allows create / write (create/update) / delete on Scanners and settings including:
Group Actions Project Actions

Group security configuration

  • scanner configuration settings

Project security configuration

  • scanner configuration settings

Scanner Configuration Settings

Scanner configuration settings are the individual settings that can be modified as part of a configuration profile. Profiles are a set of rules that define the scanner's behavior/ how (but not when) a project is scanned. These include exclusions (things to exclude from a scan), customizations made to the default detection rules, scanner version, max depth. Scanner configuration settings will not include customizations that might be made to scan results (such as severity overrides, ignoring results, etc.).

Scanner profiles will be similar across scan types (SAST, SCA, SD, DAST, etc), but will vary depending on what settings need to allow for customization. Here are initial requirements for the scanner configuration settings included in the SD configuration profile.

Views+Workflows include:

  • Base + permission: Can see Group-> Secure -> Security Configuration -> All scanner settings
  • Base + permission: Can see Group-> Secure -> On-Demand scans -> All scanner settings
  • Base + permission: Can see Project-> Secure -> Security Configuration -> All scanner settings
  • Base + permission: Can see Project -> Secure -> On-Demand scans -> All scanner settings

Documentation

  • Permissions attribute: admin_security_testing
  • Permission Title: Manage Security Testing
  • Permission Description: Configure security testing at the group or project level.
Edited by Sara Meadzinger