Enable security report for API Fuzzing
What does this MR do?
Update the API Fuzzing analyzer's CI template to use the new security report capability.
- Produce new security report
- Pickup using
api_fuzzing
report type - Collect report assets as job artifacts
This CI template uses a temporary new CI variable FUZZAPI_NEW_REPORT
that will be removed in 14.0.
Relates to #270207 (closed)
CI Template Versioning
This change moves API Fuzzing results from a non-standard location to the expected location.
- CI Template is backwards compatible with existing usage in build pipelines
- Location to view vulnerabilities has changed from the
Test
tab to theSecurity
tab and security dashboard.
Example Project + Pipeline
- Example project on
har
branch -- https://gitlab.com/mikeeddington/api-fuzzing-test/-/tree/har - Example pipeline -- https://gitlab.com/mikeeddington/api-fuzzing-test/-/pipelines/228145799
Screenshots (strongly suggested)
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry - [-] Documentation (if required)
-
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. - [-] Tested in all supported browsers
- [-] Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
- [-] Label as security and @ mention
@gitlab-com/gl-security/appsec
- [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
- [-] Security reports checked/validated by a reviewer from the AppSec team
Edited by Michael Eddington