Skip to content

Read security report schemas from RubyGem

What does this MR do and why?

Adds a dependency on the gitlab-security_report_schemas RubyGem (rubygems.org) which bundles GitLab's security report schemas and a feature flag. When enabled, security report schemas are consumed from the RubyGem instead of from the monolith's repository.

Security schemas are used as part of the Security scanner integration to ensure that reports produced by analyzers are able to be parsed successfully by GitLab. Each JSON report indicates which version of the Secure schema it conforms to. When the report is parsed, the file is validated using the appropriate schema and will be rejected if it does not succeed.`

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  • Enable the feature flag:
echo "Feature.enable(:security_report_schemas_rubygem)" | rails c
  • Create a new project and commit the following .gitlab-ci.yml:
report:
  image: alpine
  stage: test
  rules:
    - if: $REPORT_FILE
  artifacts:
    reports:
      container_scanning: gl-container-scanning-report.json
    paths: [gl-container-scanning-report.json]
  script:
    - apk update && apk add curl
    - curl -o gl-container-scanning-report.json "https://gitlab.com/-/snippets/3732098/raw/main/$REPORT_FILE"
  • Navigate to Build > Pipelines, run a pipeline and set REPORT_FILE to:

    • report-15.0.0-valid.json
    • report-15.0.0-invalid.json
    • report-14.1.3-valid.json
  • Navigate to Secure > Vulnerability report, set the activity dropdown to All activity, and verify both vulnerabilities were ingested.

  • Repeat the above with the feature flag disabled.

Related to #383516, #383507 (closed), #479410 (closed)

Edited by Dominic Bauer

Merge request reports