Support default branch and MR pipelines via scan profiles

Gal Katzrequested to merge
gkatz_pipeline_based_profile_scans into master

What does this MR do and why?

Adds support for default branch and MR pipelines via scan profiles.

The main changes include:

  1. New pipeline source type: Added security_scan_profiles_source as a new way pipelines can be created.

  2. Profile-based pipeline creation: When security scan profiles are configured for a project, they can automatically create pipelines on specific events based on their triggers (like merge requests or pushes to the default branch) to run security scans.

  3. Automatic job injection: When a security scan profile triggers a pipeline, it automatically adds security scanning jobs to an "application-security-testing" stage, even if the original pipeline configuration was empty.

  4. Feature gating: The functionality is protected behind both a license check (requiring the security_scan_profiles license) and a feature flag for controlled rollout.

Changelog: added

How to set up and validate locally

  1. Enable the feature flag:
   Feature.enable(:security_scan_profiles_pipelines)
  1. Select a root group g that will be used to create a scan profile:
   g = Group.find(<group_id>)

  1. Choose a project p under group g. Make sure the project:

    • Has at least one file to scan (e.g., app.py)
    • Has no security policies attached
    • Has Auto DevOps disabled

  2. Create a ScanProfile with sast scan type:

   profile = Security::ScanProfile.create!(
     namespace_id: g.id,
     scan_type: :sast,
     name: 'Test SAST profile',
     description: 'Test profile for SAST scanning',
     gitlab_recommended: false
   )
  1. Attach the profile to the project:
   Security::ScanProfileProject.create!(
     security_scan_profile_id: profile.id,
     project_id: p.id
   )
  1. Create a trigger for default_branch_pipeline:
   Security::ScanProfileTrigger.create!(
     namespace_id: g.id,
     security_scan_profile_id: profile.id,
     trigger_type: :default_branch_pipeline
   )

  1. Run a manual pipeline on the default branch and verify that a SAST job is triggered.

  2. Add another trigger for merge_request_pipeline:

   Security::ScanProfileTrigger.create!(
     namespace_id: g.id,
     security_scan_profile_id: profile.id,
     trigger_type: :merge_request_pipeline
   )
  1. Create a merge request and verify that a SAST job is triggered in the MR pipeline.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to [Backend] Support pipeline based scans (#588157) • Gal Katz • 18.10 and [Backend] Spike: Pipeline creation flow and pol... (#586877 - closed) • Gal Katz • 18.9

Edited by Gal Katz

Merge request reports