Add dependency scanning to scan execution policies

Dominic Bauerrequested to merge
378428-add-dependency-scanning-support-to-scan-execution-policies into master

What does this MR do and why?

Adds support for Dependency scanning to Scan execution policies.

Scan execution policies allow specifying mandatory security scans to be run on schedules or to be injected into other pipelines.

Similiar to the existing support for SAST scans, Dependency scans are executed in a child pipeline.

How to set up and validate locally

Validate type: pipeline policies

  1. Create a new project
  2. Navigate to Security & Compliance > Policies
  3. Click "New policy" > Scan execution policy
  4. Switch to YAML mode and enter the following policy:
type: scan_execution_policy
name: Test
description: ''
enabled: true
rules:
  - type: pipeline
    branches:
      - '*'
actions:
  - scan: dependency_scanning
  1. Click "Configure with a merge request" and merge the resulting policy MR
  2. Commit the following .gitlab-ci.yml:
dummy_job:
  stage: test
  script: ":" # no-op
  1. Commit the following Gemfile.lock:
GEM
  remote: https://rubygems.org/
  specs:
    rack (0.1.0)

PLATFORMS
  x86_64-darwin-20

DEPENDENCIES
  rack (= 0.1.0)

BUNDLED WITH
   2.3.22
  1. Navigate to CI/CD > Pipelines and run a pipeline for the main branch
  2. Verify that created were (1) the dummy_job job and (2) the dependency-scanning-0 child pipeline with a gemnasium-dependency_scanning job
  3. Navigate to Security & Compliance > Vulnerability Report and verify it does indeed contain six rack vulnerabilities from Dependency Scanning
  4. Resolve all detected vulnerabilities

Validate type: schedule policies

  1. In the previously created project, navigate to Security & Compliance > Policies
  2. Click "New policy" > Scan execution policy
  3. Configure any schedule for the main branch, as in:
type: scan_execution_policy
name: Dependency Scanning
description: ''
enabled: true
rules:
  - type: schedule
    branches:
      - main
    cadence: "0 0 * * *"
actions:
  - scan: dependency_scanning
  1. Click "Configure with a merge request" and merge the resulting policy MR
  2. Create a new file with the following contents, eg. schedule.rb:
schedule = Security::OrchestrationPolicyRuleSchedule.last
project = schedule.security_orchestration_policy_configuration.project
current_user = schedule.owner
Security::SecurityOrchestrationPolicies::RuleScheduleService.new(container: project, current_user: current_user).execute(schedule)
  1. Execute it: bin/rails runner schedule.rb
  2. Navigate to Security & Compliance > Vulnerability Report and verify it does indeed contain six rack vulnerabilities from Dependency Scanning

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #378428 (closed)

Edited by Dominic Bauer

Merge request reports