Provide JSON schemas for the Security reports
Problem to solve
Developers and integrators contributing GitLab security scanners can't easily check that the scanners they maintain generate valid, compliant Secure reports. They can't be sure that the output of their scanners integrate well with GitLab.
Intended users
Further details
To help integrator ensuring they are generating a compatible security report we need to provide a JSON Schema.
Proposal
Publish a base JSON schema all secure reports must validate, as well as specific JSON schemas corresponding to SAST, Dependency Scanning, Container Scanning, and DAST.
Keep the schemas with common library in a dedicated git repository. See #34652 (comment 234145253)
Automatic validation of generated reports using this JSON schema is covered by #34654 (closed).
Implementation plan
-
Base schema -
SAST schema -
Dependency Scanning schema -
Container Scanning schema -
DAST schema
Permissions and Security
Documentation
-
Update the Security scanner integration documentation, created as part of #34649 (closed), and point to this JSON Schema
Testing
Validate the presence of the JSON schema for security reports.
What does success look like, and how can we measure that?
Developers and integrators can easily check that the scanners they maintain generate valid Secure reports.
What is the type of buyer?
GitLab Ultimate mostly, could be for Core
users too for SAST with #32602 (closed)