Pin Version of DAST Scanner in Vendored Template
Problem:
This issue is the summarized version of this issue for DAST.
Currently we re-release previous versions of the DAST scanner because GitLab's DAST-gitlab-ci.yml
looks for a DAST image by the name that corresponds with the version of GitLab such as 11-11-stable
or 11-12-stable
.
When a new version of the DAST Scanner is created, that new scanner is deployed to existing DAST images such as 11-11-stable
, 11-12-stable
, etc. This is not a good practice, as existing versions should not be updated.
Solution:
Update the DAST-gitlab-ci.yml
file to pull a specific version of the DAST Scanner that is independent of the GitLab version. For example, in the yml file a variable will define what version of DAST to get: $DAST_VERSION = 1
or $DAST_VERSION = 1.4
or $DAST_VERSION = 1.4.0
. The registry should then retrieve DAST:$DAST_VERSION.
Users will still have old template files of DAST-gitlab-ci.yml
, and their installs will continue to search for a DAST image in the naming format of 11-12-stable
. In order to avoid breaking existing installs, and continuing to provide customers the latest compatible scanner, we will continue to support the MAJOR-MINOR-Stable format up until version 13 of GitLab.
To inform users of the updated versioning system, any image in the MAJOR-MINOR-Stable format, should output a deprecation notice stating that users should retrieve DAST:Version image from the registry instead of MAJOR-MINOR-Stable and provide them to a link of the latest template.
Tasks:
-
Update the vendored template https://gitlab.com/gitlab-org/gitlab-ee/blob/master/lib/gitlab/ci/templates/Security to pin to a version of DAST. -
Update the DAST CI config file to release up until version 13.0 for the old naming convention. -
Update the DAST CI config to build the major.minor
docker image tag along withmajor.minor.patch
andmajor
ones. -
Update the release process documentation -
Add a validation step to ensure CHANGELOGs are in the correct format