SecureFlag integration
What does this MR do and why?
Adds a new SecureFlag training provider for vulnerability reports as per discussions with @matt_wilson & @mlebeau, who are no longer at GitLab. Note: GitLab point of contact is now @abellucci. SecureFlag is a new Alliance partner and more about us can be found over here https://www.secureflag.com/about.
Related issue: https://gitlab.com/gitlab-com/alliances/alliances/-/issues/297
If an article/post in our knowledge base (https://knowledge-base.secureflag.com/) is found for a given CWE number and/or language, then a link to that article is returned. The article content is free, though running labs is a commercial feature.
Screenshots or screen recordings
How to set up and validate locally
-
Add SecureFlag data to security_training_providers table in PSQL (I hear migration is done on GitLab's end? Not sure how it works)
-
Enable SecureFlag as a training provider on a repo under Security & Compliance -> Configuration -> Vulnerability Management
-
Add a vulnerability report manually, or alternatively clone https://github.com/msdousti/OWASP-Java and set up Semgrep SAST in CI/CD to generate some vulnerability reports.
-
View the vulnerability report, and check the Training section
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.