GitLab security scanners controls

Problem to solve

To adhere to regulatory standards and to provide evidence of compliance, I need to be able to generate a report for auditors detailing the last date/time each of my repositories were scanned by each security scanner. I would leverage this data to also action against projects that are out of compliance to bring them into compliance and ensure that scanners are properly enabled/enforced to run.

Proposal

Create new a new controls for each scan type to confirm that the security scanner is running correctly and their is a build artifact.

The security scanners to include (aligned with our marketing page here) :

• SAST can be enabled to configure SAST for the current project. For more details, https://docs.gitlab.com/ee/user/application_security/sast/index.html#configure-sast-by-using-the-ui
• Secret Detection can be enabled to configure Secret Detection for the current project. For more details, https://docs.gitlab.com/ee/user/application_security/secret_detection/index.html#use-an-automatically-configured-merge-request
• Dependency Scanning can be enabled to configure for the current project. For more details, https://docs.gitlab.com/ee/tutorials/dependency_scanning.html
• Container Scanning can be enabled to configure Container Scanning for the current project. For more details, https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#enable-container-scanning-through-an-automatic-merge-request
• DAST can be enabled to configure DAST for the current project. For more details, https://docs.gitlab.com/ee/user/application_security/dast/on-demand_scan.html
• Coverage Fuzzing can be enabled to configure Coverage Fuzzing for the current project. For more details, https://docs.gitlab.com/ee/user/application_security/coverage_fuzzing/index.html#enable-coverage-guided-fuzz-testing
• API Fuzzing can be enabled to configure API Fuzzing for the current project. For more details, https://docs.gitlab.com/ee/user/application_security/api_fuzzing/configuration/enabling_the_analyzer.html
• Code Quality can be enabled to configure [Code Quality for the current project. For more details, https://docs.gitlab.com/ee/ci/testing/code_quality.html#enable-code-quality
• Operational Container Scanning can be enabled to configure Operational Container Scanning for the current project. For more details, https://docs.gitlab.com/ee/user/clusters/agent/vulnerabilities.html#enable-operational-container-scanning
• Infrastructure as Code scanning - https://docs.gitlab.com/user/application_security/iac_scanning/

The control names will be:

• scanner_sast_running
• scanner_secret_detection_running
• scanner_dep_scanning_running
• scanner_container_scanning_running
• scanner_license_compliance_running
• scanner_dast_running
• scanner_api_security_running
• scanner_fuzz_testing_running
• scanner_code_quality_running
• scanner_iac_running

Implementation plan

Controls currently needed to be added in four different places:

• https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/config/compliance_management/requirement_controls.json?ref_type=heads
• https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/validators/json_schemas/compliance_requirements_control_expression.json?ref_type=heads
• https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/models/compliance_management/compliance_framework/compliance_requirements_control.rb?ref_type=heads
• https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/lib/compliance_management/compliance_requirements/project_fields.rb?ref_type=heads

For the first control for each security scanner we can use the enabled param from https://docs.gitlab.com/api/graphql/reference/#securityscanners