Prevent analyzers from being excluded in scan execution pipelines
What does this MR do and why?
This MR fixes an oversight where it was possible to exclude certain analyzers from being run in scan execution pipelines.
Screenshots or screen recordings
| Before | After |
|---|---|
 |
 |
How to set up and validate locally
- Add
.gitlab-ci.yml:build-job: stage: build script: - echo "Compiling the code..." - echo "Compile complete." include: - template: Security/SAST.gitlab-ci.yml - Add
run_os_script.rbfile into the project:class Generic def run_on_system system("ls") end end - Go to Secure -> Policies and create a new Scan Execution policy
name: SAST description: '' enabled: true actions: - scan: sast rules: - type: pipeline branches: - "*" - Go to Settings -> CI/CD -> Variables and add a new variable:
- Go to Pipelines and run a new pipeline for the
mainbranch - Verify that
brakeman-sast-0job is still present in the pipeline
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #420700 (closed)
Merge request reports
Activity
changed milestone to %16.4
assigned to @mcavoj
Reviewer roulette
Changes that require review have been detected!
Please refer to the table below for assigning reviewers and maintainers suggested by Danger in the specified category:
Category Reviewer Maintainer backend Tianwen Chen (
@tianwenchen) (UTC+8, 6 hours ahead of@mcavoj)Niko Belokolodov (
@nbelokolodov) (UTC+12, 10 hours ahead of@mcavoj)~"Verify" Reviewer review is optional for ~"Verify" Stan Hu (
@stanhu) (UTC-7, 9 hours behind@mcavoj)Please check reviewer's status!
-
Reviewer is available!
-
Reviewer is unavailable!
Feel free to override these selections if you think someone else would be better-suited or use the GitLab Review Workload Dashboard to find other available reviewers.
To read more on how to use the reviewer roulette, please take a look at the Engineering workflow and code review guidelines. Please consider assigning a reviewer or maintainer who is a domain expert in the area of the merge request.
Once you've decided who will review this merge request, assign them as a reviewer! Danger does not automatically notify them for you.
If needed, you can retry the
danger-reviewjob that generated this comment.Generated by
Edited by Ghost User-
@mcavoj Some end-to-end (E2E) tests should run based on the stage label.
Please start the
trigger-omnibus-and-follow-up-e2ejob in theqastage and ensure tests in thefollow-up-e2e:package-and-test-eepipeline pass before this MR is merged. (E2E tests are computationally intensive and don't run automatically for every push/rebase, so we ask you to run this job manually at least once.)To run all E2E tests, apply the pipeline:run-all-e2e label and run a new pipeline.
E2E test jobs are allowed to fail due to flakiness. See current failures at the latest pipeline triage issue.
Once done, apply the
Team members only: for any questions or help, reach out on the internal
#qualitySlack channel.added 1 commit
- 6fb2472c - Prevent analyzers from being excluded in scan execution pipelines
- Last reply by Martin Čavoj
requested review from @mc_rocha
Allure report
allure-report-publishergenerated test report!e2e-test-on-gdk:
expand test summary
+------------------------------------------------------------------+ | suites summary | +-------------+--------+--------+---------+-------+-------+--------+ | | passed | failed | skipped | flaky | total | result | +-------------+--------+--------+---------+-------+-------+--------+ | Data Stores | 20 | 0 | 0 | 0 | 20 | ✅ | | Create | 38 | 0 | 0 | 2 | 38 | ❗ | | Plan | 47 | 0 | 0 | 0 | 47 | ✅ | | Govern | 36 | 0 | 0 | 0 | 36 | ✅ | | Verify | 8 | 0 | 0 | 0 | 8 | ✅ | | Manage | 12 | 0 | 1 | 1 | 13 | ❗ | +-------------+--------+--------+---------+-------+-------+--------+ | Total | 161 | 0 | 1 | 3 | 162 | ❗ | +-------------+--------+--------+---------+-------+-------+--------+e2e-package-and-test:
expand test summary
+-----------------------------------------------------------------------+ | suites summary | +------------------+--------+--------+---------+-------+-------+--------+ | | passed | failed | skipped | flaky | total | result | +------------------+--------+--------+---------+-------+-------+--------+ | Govern | 167 | 0 | 3 | 6 | 170 | ❗ | | Create | 151 | 0 | 20 | 13 | 171 | ❗ | | Data Stores | 4 | 0 | 0 | 0 | 4 | ✅ | | Plan | 8 | 0 | 0 | 0 | 8 | ✅ | | Monitor | 8 | 0 | 0 | 0 | 8 | ✅ | | Package | 0 | 0 | 2 | 0 | 2 | ➖ | | Framework sanity | 0 | 0 | 2 | 0 | 2 | ➖ | | Manage | 2 | 0 | 0 | 0 | 2 | ✅ | +------------------+--------+--------+---------+-------+-------+--------+ | Total | 340 | 0 | 27 | 19 | 367 | ❗ | +------------------+--------+--------+---------+-------+-------+--------+Edited by Ghost Userrequested review from @cablett
requested review from @mbobin
@mc_rocha, thanks for approving this merge request.This is the first time the merge request has been approved. To ensure full test coverage, a new pipeline will be started shortly.
For more info, please refer to the following links:
added pipeline:mr-approved label
removed review request for @mc_rocha
