Draft: Feat(security): Add ASCP data layer for security analysis

Meir Benayounrequested to merge
ascp-data-layer-implementation into master

Summary

Add database schema and models for Application Security Collaboration Platform (ASCP) feature under the Security bounded context in the gitlab_sec schema. This is the data layer implementation for ASCP integration with GitLab.

Related to: static_application_security_testing feature category

What does this MR do?

Database Tables (15 tables)

Table Purpose
ascp_sinks Security-sensitive code locations (potential vulnerabilities)
ascp_sink_analyses Analysis results with severity/exploitability scores
ascp_sink_analysis_facts Individual security facts with risk factors (-5 to +5)
ascp_sink_analysis_relevant_files Files relevant to understanding the vulnerability
ascp_sink_analysis_dataflow_locations Ordered dataflow path from source to sink
ascp_sink_patterns Global sink detection patterns (CWE-based)
ascp_project_sink_patterns Project-specific pattern configuration
ascp_exclusion_patterns Global exclusion patterns (filepath/filename/directory)
ascp_project_exclusion_patterns Project-specific exclusion configuration
ascp_components Business/application components
ascp_component_dependencies Component dependency relationships
ascp_security_contexts Security context and threat model per component
ascp_security_guidelines Security guidelines with violation severity
ascp_scan_metadata Scan execution tracking
ascp_incremental_scan_history Incremental scan diff tracking

Models & Architecture

  • All models under Security::Ascp::* namespace (using the existing Security bounded context)
  • Models extend SecApplicationRecord for gitlab_sec database schema
  • Loose foreign keys for project_id (cross-database reference to gitlab_main)
  • Internal foreign keys with ON DELETE CASCADE for table relationships

Authorization

  • Policies delegate to project's read_security_resource and admin_vulnerability permissions
  • Located in ee/app/policies/security/ascp/

Migration Best Practices

  • Uses t.text :column, limit: X inline for new tables (GitLab extension)
  • Only uses disable_ddl_transaction! when add_concurrent_foreign_key is needed
  • Uses if_not_exists: true for tables in non-transactional migrations
  • Uses t.integer :column, limit: 2 for smallint columns

How to set up and validate locally

  1. Run migrations:

    bin/rails db:migrate

  2. Verify tables created:

    bin/rails runner "puts ActiveRecord::Base.connection.tables.select { |t| t.start_with?('ascp_') }.sort"

  3. Run model specs:

    bin/rspec ee/spec/models/security/ascp/

  4. Test factory creation:

    bin/rails runner "FactoryBot.create(:security_ascp_sink)"

MR acceptance checklist

  • Database migrations
  • Database dictionary files (db/docs/ascp_*.yml)
  • Loose foreign keys configuration
  • ActiveRecord models
  • Authorization policies
  • FactoryBot factories
  • Model specs
  • db/structure.sql updated
  • Bounded context compliant (Security::Ascp)

Technical Notes

  • Sharding key: project_id for all project-scoped tables
  • Database schema: gitlab_sec
  • Feature category: static_application_security_testing
  • Milestone: 18.8
Edited by Meir Benayoun

Merge request reports