Adherence check - Static Application Security Testing (SAST)
What does this MR do and why?
This MR adds adherence check whenever a SAST scan runs on the default branch of a repository.
Hows does it do it?
- Whenever a SAST scanner runs in a pipeline, it creates a job artifact object.
- In the service for creation of job artifacts, we are checking if the file type for the artifact is
sastand if the pipeline of the artifact belongs to the default branch of the repository then create the adherence check for the scan.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
- You need to have a group with Ultimate license, let's say the name of the group is
test-group. - Enable the feature flag by running
Feature.enable(:enable_adherence_check_for_scanners)in the rails console. - Create a project in the group, I have created a reference project https://gitlab.com/issue-reproduce/hraghuvanshi-group/sast_adherence_test, you can also clone the contents of this project in your test project. I contains all the required file including pipeline configuration.
- You should have a ruby file in your project for sast run and sast scanner config in your project's pipeline config.
- Once the pipeline for this project completes running, an adherence check for the sast scan will be created which you can check by running
Projects::ComplianceStandards::Adherence.where(project_id: <project_id>).lastin the rails console. - Scenarios:
- Create a merge request for your project and make sure the pipeline completes. On checking
-
Projects::ComplianceStandards::Adherence.where(project_id: <project_id>).lastin rails console, theupdated_attime should be same before the pipeline of merge request starts, which means the adherence check should not be created or updated for non-default branches. - Merge the merge request in the default branch and once the pipeline for merge finishes,
updated_attime should get updated.
-
- Create a merge request for your project and make sure the pipeline completes. On checking
- You can also check the refresh adherence checks mutation for refreshing the adherence checks for a group's projects. The mutation is as follows, it will update the time of the last status change of the checks:
mutation runStandardsAdherenceChecks {
refreshStandardsAdherenceChecks(input: {groupPath: "pipeline_testing"}) {
adherenceChecksStatus {
startedAt,
totalChecks,
checksCompleted
}
}
}Related to #440722 (closed)
Merge request reports
Activity
changed milestone to %17.4
assigned to @hraghuvanshi
added pipelinetier-1 label
1 Message 
This merge request adds or changes documentation files. A review from the Technical Writing team before you merge is recommended. Reviews can happen after you merge. Documentation review
The following files require a review from a technical writer:
-
doc/api/graphql/reference/index.md(Link to current live version)
The review does not need to block merging this merge request. See the:
-
Metadata for the
*.mdfiles that you've changed. The first few lines of each*.mdfile identify the stage and group most closely associated with your docs change. - The Technical Writer assigned for that stage and group.
- Documentation workflows for information on when to assign a merge request for review.
Reviewer roulette
Category Reviewer Maintainer backend @tyleramos(UTC-4, 9.5 hours behind author)
@radbatnag(UTC+8, 2.5 hours ahead of author)
Please refer to documentation page for guidance on how you can benefit from the Reviewer Roulette, or use the GitLab Review Workload Dashboard to find other available reviewers.
Sidekiq queue changes
This merge request contains changes to Sidekiq queues. Please follow the documentation on changing a queue's urgency.
These queues were added:
compliance_management_standards_gitlab_sastcompliance_management_standards_gitlab_sast_group
If needed, you can retry the
danger-reviewjob that generated this comment.Generated by
-
added 2794 commits
-
8bfdebb0...a56f9a0a - 2791 commits from branch
master - 4176b992 - Added sast workers
- f1d876b0 - Added sast workers
- 8b4e48c6 - Updated queues yml
Toggle commit list-
8bfdebb0...a56f9a0a - 2791 commits from branch
added 2 commits
- A deleted user
added frontend label
mentioned in issue #440722 (closed)
mentioned in issue gitlab-org/govern/compliance/general#253
11 11 override :track_artifact_uploader 12 12 def track_artifact_uploader(artifact) 13 13 super 14 return unless artifact.file_type == 'metrics' 14 return unless artifact.file_type == 'metrics' || artifact.file_type == 'sast' 15 15 16 track_usage_event(METRICS_REPORT_UPLOAD_EVENT_NAME, job.user_id) 16 if artifact.file_type == 'sast' changed this line in version 4 of the diff
added 3477 commits
-
791cc6ba...5341549b - 3474 commits from branch
master - 0171cd99 - Added default branch check
- bb2a45bd - Merge branch 'master' into 440722-sast-adherence
- 9e543573 - TOuch the time too
Toggle commit list-
791cc6ba...5341549b - 3474 commits from branch
- Resolved by Hitesh Raghuvanshi
@huzaifaiftikhar1 Can you please take an initial look at this MR and let me know if this has any conflicts with the work that you are doing for custom adherence checks?
- Last reply by Hitesh Raghuvanshi
changed milestone to %17.5
added 529 commits
-
23aabbc9...cbadebba - 521 commits from branch
master - 21c03521 - Added sast workers
- 48e5759e - Added sast workers
- 74dda5e3 - Updated queues yml
- 0d819f25 - Artifacts and adherence created
- 03cdcc74 - Frontend changes
- d7607141 - Added default branch check
- 4f673916 - TOuch the time too
- b7fb625a - Removed incomplete rspec and refactored
Toggle commit list-
23aabbc9...cbadebba - 521 commits from branch
- A deleted user
added feature flag label
added 474 commits
-
cc421e75...6daadf12 - 465 commits from branch
master - deadc8c1 - Added sast workers
- 91f06fc5 - Added sast workers
- 4528c03d - Updated queues yml
- 03d989fb - Artifacts and adherence created
- a1f8f6f7 - Frontend changes
- 43b48f00 - Added default branch check
- cc897cd3 - TOuch the time too
- ae92d626 - Removed incomplete rspec and refactored
- 56f790a8 - Added test cases and ff
Toggle commit list-
cc421e75...6daadf12 - 465 commits from branch
added 217 commits
-
88ff04e8...addd64cd - 207 commits from branch
master - 56927e33 - Added sast workers
- 5cee838c - Added sast workers
- 78c75db3 - Updated queues yml
- 50e9395f - Artifacts and adherence created
- 420e46eb - Frontend changes
- 2ca21889 - Added default branch check
- 99fbf793 - TOuch the time too
- 563c157c - Removed incomplete rspec and refactored
- ffe42c68 - Added test cases and ff
- b0f24d46 - Added test cases
Toggle commit list-
88ff04e8...addd64cd - 207 commits from branch
added 3 commits
added 33 commits
-
2a821881...65aad45d - 20 commits from branch
master - 65aad45d...bd902304 - 3 earlier commits
- 496d5305 - Artifacts and adherence created
- 5089701a - Frontend changes
- 9c0fcfc0 - Added default branch check
- bfdf1ac9 - TOuch the time too
- 8449ac41 - Removed incomplete rspec and refactored
- cba316c2 - Added test cases and ff
- 7f4bda10 - Added test cases
- d00a337b - Added test cases
- 7cf41962 - Added graphql doc
- 211de74c - Fixed rubocop offence
Toggle commit list-
2a821881...65aad45d - 20 commits from branch
- Resolved by Hitesh Raghuvanshi
@craigmsmith Can you please do initial backend review of this MR? Assigning you because I think this one falls into domain of static analysis team, because it involves SAST scanner.
- Last reply by Hitesh Raghuvanshi
requested review from @craigmsmith
removed review request for @craigmsmith
requested review from @hyan3
added 715 commits
-
fb4e04c3...da7ef78d - 714 commits from branch
master - 870055f6 - Adding adherence check for sast scanner run
-
fb4e04c3...da7ef78d - 714 commits from branch
added 2 commits
added 270 commits
-
8f267671...7c455e1f - 267 commits from branch
master - b0293673 - Adding adherence check for sast scanner run
- 3b523d44 - Refactored the code around feature flag
- 992a1d1b - Fixed lint issues
Toggle commit list-
8f267671...7c455e1f - 267 commits from branch
mentioned in issue #467082
mentioned in issue #440721 (closed)
mentioned in issue #440720
mentioned in issue #440718
mentioned in issue #440717
mentioned in issue #440715
added pipeline:mr-approved label
added pipelinetier-2 label and removed pipelinetier-1 label
