Add dependency scanning to scan execution policies
What does this MR do and why?
Adds support for Dependency scanning to Scan execution policies.
Scan execution policies allow specifying mandatory security scans to be run on schedules or to be injected into other pipelines.
Similiar to the existing support for SAST scans, Dependency scans are executed in a child pipeline.
How to set up and validate locally
type: pipeline
policies
Validate - Create a new project
- Navigate to Security & Compliance > Policies
- Click "New policy" > Scan execution policy
- Switch to YAML mode and enter the following policy:
type: scan_execution_policy
name: Test
description: ''
enabled: true
rules:
- type: pipeline
branches:
- '*'
actions:
- scan: dependency_scanning
- Click "Configure with a merge request" and merge the resulting policy MR
- Commit the following
.gitlab-ci.yml
:
dummy_job:
stage: test
script: ":" # no-op
- Commit the following
Gemfile.lock
:
GEM
remote: https://rubygems.org/
specs:
rack (0.1.0)
PLATFORMS
x86_64-darwin-20
DEPENDENCIES
rack (= 0.1.0)
BUNDLED WITH
2.3.22
- Navigate to CI/CD > Pipelines and run a pipeline for the main branch
- Verify that created were (1) the
dummy_job
job and (2) thedependency-scanning-0
child pipeline with agemnasium-dependency_scanning
job - Navigate to Security & Compliance > Vulnerability Report and verify it does indeed contain six
rack
vulnerabilities from Dependency Scanning - Resolve all detected vulnerabilities
type: schedule
policies
Validate - In the previously created project, navigate to Security & Compliance > Policies
- Click "New policy" > Scan execution policy
- Configure any schedule for the main branch, as in:
type: scan_execution_policy
name: Dependency Scanning
description: ''
enabled: true
rules:
- type: schedule
branches:
- main
cadence: "0 0 * * *"
actions:
- scan: dependency_scanning
- Click "Configure with a merge request" and merge the resulting policy MR
- Create a new file with the following contents, eg. schedule.rb:
schedule = Security::OrchestrationPolicyRuleSchedule.last
project = schedule.security_orchestration_policy_configuration.project
current_user = schedule.owner
Security::SecurityOrchestrationPolicies::RuleScheduleService.new(container: project, current_user: current_user).execute(schedule)
- Execute it:
bin/rails runner schedule.rb
- Navigate to Security & Compliance > Vulnerability Report and verify it does indeed contain six
rack
vulnerabilities from Dependency Scanning
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #378428 (closed)
Edited by Dominic Bauer