Skip to content

SECURE_ANALYZERS_PREFIX doesn't have any affect on image used

Problem

Setting the SECURE_ANALYZERS_PREFIX variable outside of the API Fuzzing template doesn't change the IMAGE being used. This is likely due to our also setting FUZZAPI_IMAGE in the template. The FUZZAPI_IMAGE variable allows us to perform e2e testing using the official template with builds that have not yet been pushed to production.

Workaround

This bug has a workaround, set FUZZAPI_IMAGE with the full image name.

Proposal

variables:
    FUZZAPI_VERSION: "1"
    FUZZAPI_IMAGE: api-fuzzing
    SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"

apifuzzer_fuzz:
    stage: fuzz
    image: $SECURE_ANALYZERS_PREFIX/$FUZZAPI_IMAGE:$FUZZAPI_VERSION
    allow_failure: true
    rules:
        - if: $API_FUZZING_DISABLED
          when: never
        - if: $API_FUZZING_DISABLED_FOR_DEFAULT_BRANCH &&
                $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
          when: never
        - if: $CI_COMMIT_BRANCH
    script:
        - /peach/analyzer-fuzz-api
    artifacts:
        when: always
        paths:
            - gl-assets
            - gl-api-fuzzing-report.json
            - gl-*.log
        reports:
            api_fuzzing: gl-api-fuzzing-report.json
  1. Create DAST-API.latest.gitlab-ci.yml
  2. Update API-Fuzzing.latest.gitlab-ci.yml
  3. Add test
  4. Document current behavior and new behavior
Edited by Michael Eddington