Expose security report from Dependency Scanning job
What does this MR do?
Because CI_JOB_TOKEN
can no longer be used to retrieve pipeline artifacts, the current implementation of the integration-test does not work (see related issue).
This MR makes use of the DS_REPORT path in integration-test
. This means that the qa tests need only set the DS_REPORT_PATH
variable and override the artifacts of the dependency scanning job in order to allow access for qa jobs.
It looks like the artifacts override has to happen for each gemnasium-*dependency_scanning
job because of the order of these includes: https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml#L73
My intention is to merge this MR, do a full run of the gemnasium
pipeline to check for failing tests in more complicated scenarios (e.g. multimodule) and then remove the allow_failure directive once every test passes.
What are the relevant issue numbers?
Does this MR meet the acceptance criteria?
Tested in js_npm using this MR's includes-dev/qa-dependency_scanning.yml
commit: gitlab-org/security-products/tests/js-npm!13611 (closed)
Passing pipeline: https://gitlab.com/gitlab-org/security-products/tests/js-npm/-/pipelines/1283777243