On demand DAST not working on projects with a compliance pipeline
Summary
Running an on demand DAST scan on a project with a compliance pipeline assigned does not work. The jobs associated with the compliance pipeline will run, but not the on demand scan.
Steps to reproduce
- Ensure project has a compliance framework with compliance pipeline assigned, like this (please slack me for access)
- Set up a new on demand scan with a new site profile (I did not validate, but this works on projects without the compliance framework) and new scan profile
- Save and run
- The pipeline you can click on after a "success" will show jobs from the compliance pipeline with no DAST results reported.
I am almost positive that this was not occurring before December 22
Example Project
Bad: https://gitlab.com/tmedlin-demo/tanuki-racing/-/on_demand_scans#/all (please slack me for access!) The most recent passed scan links to this pipeline which does not make sense
Good project and pipeline without a compliance pipeline enabled
What is the current bug behavior?
The DAST scan isn't running, but the compliance pipeline jobs are
What is the expected correct behavior?
The scan should run, even if there is a compliance pipeline enforcing that other jobs run
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
As outlined in this comment #437098 (comment 1741896350)
Add the DAST scan as a pipeline source to the compliance project config:
diff --git a/ee/lib/gitlab/ci/project_config/compliance.rb b/ee/lib/gitlab/ci/project_config/compliance.rb
index b2771f388810..c3773bebc3ae 100644
--- a/ee/lib/gitlab/ci/project_config/compliance.rb
+++ b/ee/lib/gitlab/ci/project_config/compliance.rb
@@ -9,7 +9,7 @@ def content
next unless available?
next unless pipeline_configuration_full_path.present?
next if pipeline_source_bridge && pipeline_source == :parent_pipeline
- next if pipeline_source == :security_orchestration_policy
+ next if [:security_orchestration_policy, :ondemand_dast_scan].include?(pipeline_source)
path_file, path_project = pipeline_configuration_full_path.split('@', 2)
YAML.dump('include' => [{ 'project' => path_project, 'file' => path_file }])