Skip to content

Adherence check - Static Application Security Testing (SAST)

Hitesh Raghuvanshi requested to merge 440722-sast-adherence into master

What does this MR do and why?

This MR adds adherence check whenever a SAST scan runs on the default branch of a repository.

Hows does it do it?

  1. Whenever a SAST scanner runs in a pipeline, it creates a job artifact object.
  2. In the service for creation of job artifacts, we are checking if the file type for the artifact is sast and if the pipeline of the artifact belongs to the default branch of the repository then create the adherence check for the scan.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. You need to have a group with Ultimate license, let's say the name of the group is test-group.
  2. Enable the feature flag by running Feature.enable(:enable_adherence_check_for_scanners) in the rails console.
  3. Create a project in the group, I have created a reference project https://gitlab.com/issue-reproduce/hraghuvanshi-group/sast_adherence_test, you can also clone the contents of this project in your test project. I contains all the required file including pipeline configuration.
  4. You should have a ruby file in your project for sast run and sast scanner config in your project's pipeline config.
  5. Once the pipeline for this project completes running, an adherence check for the sast scan will be created which you can check by running Projects::ComplianceStandards::Adherence.where(project_id: <project_id>).last in the rails console.
  6. Scenarios:
    1. Create a merge request for your project and make sure the pipeline completes. On checking
      1. Projects::ComplianceStandards::Adherence.where(project_id: <project_id>).last in rails console, the updated_at time should be same before the pipeline of merge request starts, which means the adherence check should not be created or updated for non-default branches.
      2. Merge the merge request in the default branch and once the pipeline for merge finishes, updated_at time should get updated.
  7. You can also check the refresh adherence checks mutation for refreshing the adherence checks for a group's projects. The mutation is as follows, it will update the time of the last status change of the checks:
mutation runStandardsAdherenceChecks {
  refreshStandardsAdherenceChecks(input: {groupPath: "pipeline_testing"}) {
    adherenceChecksStatus {
      startedAt,
      totalChecks,
      checksCompleted
    }
  }
}

Related to #440722 (closed)

Edited by Hitesh Raghuvanshi

Merge request reports