Support Versioned AST Templates and spec:inputs in Security Policies

Support Versioned AST Templates and spec:inputs in Security Policies

Problem Statement

The Application Security Testing (AST) groups are implementing versioned CI templates and spec:inputs to adapt to GitLab's new deprecation guidelines that favor migration over breaking changes (as detailed in #523986). This approach will allow AST teams to introduce breaking changes in new template versions without impacting existing users.

However, in Security Policies (specifically the Policy UI Editor for Scan Execution Policies) we currently only support selecting between stable and latest template editions and configuring templates via CI variables. To fully support the new versioned templates approach, Security Policies must be enhanced to:

  1. Allow selection of specific template versions (e.g., SAST.v2.gitlab-ci.yml)
  2. Support the new spec:inputs configuration method

Requirements

1. Template Version Selection

As discussed in note #2536897634 and subsequent comments, Security Policies must be updated to:

  • Extend the current template edition dropdown (which currently only offers stable and latest) to include versioned templates
  • Create a registry/service that maintains a list of available template versions for consistent reference across the application
  • Update the UI to display and allow selection of these versioned templates

2. spec:inputs Support

For supporting spec:inputs in Scan Execution Policies, we have two potential approaches:

Short-term solution:

  • Continue using the current CI variables interface in SEPs
  • Templates will implement a fallback mechanism where they check for CI variables when inputs aren't specified
  • This allows SEPs to maintain their current implementation while templates transition to inputs

Long-term solution:

  • Add UI support for configuring template inputs directly
  • Modify the SEP implementation to apply inputs when including templates
  • Create a dynamic system to discover available inputs for each template version

Implementation Plan

  1. Create Template Version Registry

    • Implement a service that maintains the list of available template versions
    • This registry will be used by both the UI and backend components

  2. Update Template Selection UI

    • Modify the Policy Editor UI to display versioned templates in the dropdown
    • Ensure proper validation and error handling for template selection

  3. Update SEP Template Processing

    • Modify the template.rb service to handle versioned templates
    • Ensure backward compatibility with existing policies

  4. Add spec:inputs Support (Future Phase)

    • Design UI for configuring template inputs
    • Implement backend support for applying inputs to template includes
    • Add validation for input values

Dependencies

  • This work depends on the implementation of versioned templates in #523986
  • Coordination with AST teams is required to ensure compatibility between templates and Security Policies

Acceptance Criteria

  1. Users can select specific versions of AST templates in the Security Policy Editor
  2. Scan Execution Policies correctly apply the selected template version when generating CI configuration
  3. CI variables configured in policies are properly passed to templates (supporting the fallback mechanism for spec:inputs)
  4. Existing policies continue to work without modification

Future Considerations

  • Full support for spec:inputs in the Policy Editor UI
  • Dynamic discovery of available inputs for each template version
  • Migration path for policies using older template versions
Edited by 🤖 GitLab Bot 🤖