WIP: Initial version of the Container Scanning test project

Description

Initial version of the test project:

• uses Container-Scanning.gitlab-ci.yml vendored template
• uses docker-dind to build the Docker image from Dockerfile within the CI pipeline
• leverages the Docker image caching and the local Container Registry to speed up the build
• webgoat Docker image is used as the base image

Execution

Project content

• copy the template dir content to the new repository and find/replace the REPLACE_ME placeholders.
• setup the master branch:
  • create a basic app for given language, package manager and framework with some relevant vulnerabilities
  • configure the compatible Security Products features in the .gitlab-ci.yml (comment out unsupported ones)
  • update the expected reports in qa/expect/
• create the auto-devops-FREEZE branch from master and removes the .gitlab-ci.yml file.
• create the QA-MR-FREEZE branch from master
  • add necessary changes to the test app to generate new, fixed and existing vulnerabilities
  • update the expected reports in qa/expect/
  • open a Merge Request against master with the name WIP: QA for all Security Products features
• add the created project to the QA script at: https://gitlab.com/gitlab-org/security-products/release

Project configuration

To ensure the QA can be automatically triggered and to notify the team when it fails, the project must be configured as follows:

• sign in with gitlab-bot user and create a Pipeline trigger named QA to obtain a token for automated QA configuration
• setup the Slack notifications project service:
  • check the active option
  • uncheck all triggers but Pipeline (leave Channel name empty)
  • use the Webhook URL available in the Slack's SP-Bot service configuration page
  • use SP-Bot as the Username
  • check the Notify only broken pipelines option
  • submit the form and check that the test event has been successfully sent to #sp-alert slack channel