Skip to content

Add versioned template support in SEP policies

Alan (Maciej) Paruszewskirequested to merge
add-versioning-and-inputs-to-sep-for-ast into master

What does this MR do and why?

This MR adds versioning support and inputs functionality for Security Execution Policies (SEP). The changes enable the following.

This MR is blocked by because it needs the DS v2 template available: Add Dependency Scanning template version 2 (!201175 - merged) • Igor Frenkel • 18.5

Template Versioning:

  • Introduces versioned template support for dependency_scanning scan types
  • Allows specific version selection (v2) alongside existing default and latest options
  • Maintains backward compatibility with existing template selection

Key Features:

  • Frontend Updates: Enhanced template selector component to display version-specific options based on scan type
  • Backend Support: Modified template resolution logic to handle versioned templates and inputs
  • Schema Validation: Updated JSON schemas to accept versioned templates with pattern validation (v1, v2, etc.)
  • Template Caching: Improved caching mechanism to support version-specific template retrieval

Supported Scan Types:

  • Dependency Scanning: v2, default, latest
  • Other scan types: default, latest (unchanged)

Technical Implementation

Frontend Changes:

  • Added VERSIONED_TEMPLATE_TYPES and VERSIONED_TEMPLATES constants
  • Enhanced TemplateSelector component with scan-type-aware template options
  • Updated tooltip messaging for versioned templates
  • Modified validation logic to accept versioned templates for supported scan types

Backend Changes:

  • Updated Template service to resolve versioned template paths
  • Enhanced TemplateCacheService to cache templates by version
  • Added input interpolation support for templates with spec sections
  • Modified JSON schema validation to accept versioned templates with regex patterns

Testing:

  • Comprehensive test coverage for versioned template selection
  • Validation tests for supported and unsupported version combinations
  • Cache behavior verification for versioned templates

This enhancement provides users with more granular control over security scanning templates while maintaining stability through version pinning.

How it works

sep-v2-screen-recording

Local testing steps

  1. Checkout this branch
  2. Checkout v2 template from its MR: git checkout origin/ifrenkel/546404-versioned-ds-template -- lib/gitlab/ci/templates/Jobs/Dependency-Scanning.v2.gitlab-ci.yml
  3. Create simple project with scannable file (simple Gemfile.lock would do)
  4. Create Scan Execution Policy with DS template v2 (set DS_ENABLE_VULNERABILITY_SCAN=false workaround for bug)
  5. Run pipeline in project
  6. dependency-scanning job should have been created with sbom artifact

(old recording)

Related to Support Versioned AST Templates and spec:inputs... (#547114)

Edited by Igor Frenkel

Merge request reports