Process security report observability events

Michael Eddingtonrequested to merge
473109-security-report-metrics into master

What does this MR do and why?

  • Feature is behind a feature flag :process_scan_events
  • Add a new sidekiq worker to process observability events included in security reports.
  • Add events included in security reports via the internal events api
  • Only process event names listed in allow list
  • Tests

References

Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

Testing this feature is done by submitting a security report via a pipeline job that contains an observability section. This MR contains two security reports that can be used to perform local validation:

  • ee/spec/fixtures/security_reports/master/gl-dast-report-observability.json -- This report contains an even that is allowed by the allow list. The expected behavior is an exception (Gitlab::Tracking::EventValidator::UnknownEventError) from the internal events api because the event is not registered. However, this proves we are calling the internal events API correctly.
  • ee/spec/fixtures/security_reports/master/gl-dast-report-observability-unknown-event.json -- This report contains an event that is not allowed by the allow list. This will result in an exception Security::ProcessScanEventsService::ScanEventNotInAllowListError. This shows the allow list logic is working correctly.

NOTE: This feature is behind a feature flag, don't forget to enable the feature for the project uploading the report.

  1. Create a new project
  2. Enable FF (process_scan_events) for this new project
  3. Add security report(s) to project repository
  4. Add a .gitlab-ci.yml file with the following contents (replacing SECURITY_REPORT_FILE_NAME_HERE):
dast:
  stage: test
  script:
    - echo "Hello world!"
  artifacts:
    when: always
    reports:
      dast: SECURITY_REPORT_FILE_NAME_HERE
  1. Run the pipeline
  2. Check the logs based on expected result from the report used (see reports above)

Related to #473109 (closed)

Edited by Michael Eddington

Merge request reports