Skip to content

Split Dependency Scanning report from SAST report in CI View

Description

In https://gitlab.com/gitlab-org/gitlab-ee/issues/4967 we decided to split our current SAST checks in two:

  1. "Real" SAST tools doing code analysis
  2. Dependency scanning tools, like Gemnasium

We want to differentiate these two items in our security reports. This requires to have separated reports for SAST and Dependency Scanning, so they can be easily managed in the same way they are managed now.

This issue is only about CI Views (see https://gitlab.com/gitlab-org/gitlab-ee/issues/3776 for more details), while MR widget is addressed in https://gitlab.com/gitlab-org/gitlab-ee/issues/4310.

Proposal

In order to achieve this result, we need to:

  1. split the actual SAST report in two different artifacts, one for SAST and one for Dependency Scanning
  2. add a new section in the existing CI View (just below the SAST report), exactly the same we already have for SAST, but with a different copy (Dependency Scanning instead of SAST), that will load the Dependency Scanning report
  3. no changes should be needed for the SAST panel

Note: we'll keep a single job sast for the first iteration, since it is simpler to achieve. It will create two different reports as separate artifacts, each of them will feed the specific MR widget. => a new dependency_scanning job has been introduced.

This is just to give an idea of the final result, it should be replaced by a proper design when ready:

image

Design

Pipeline widget reference

img

Security tab

image

image

Note:

  1. DAST will be the last element in the "list"
  2. SAST
  3. Dependency Scanning
  4. Container Scanning
  5. DAST
  6. DAST will not report "by analyzing the review app" text
  7. In CI View we will limit the height of each report to a scrollable 500px
  8. Complete vulnerabilities report anchor will have existing functionality similar to SAST and expand report inline, changes to this functionality are deferred to https://gitlab.com/gitlab-org/gitlab-ee/issues/5322
Edited by Dimitrie Hoekstra