Inject `dast` stage into on-demand scan execution policy scans
What does this MR do and why?
- Relevant Slack thread
Fixes a bug that causes DAST scans scheduled by scan execution policies not to execute.
The reason is that the DAST analyzer runs as part of the dast
stage. However the CI configuration assembled by scan execution policies for DAST does not include this stage.
This leads to the scan job not executing due to the missing stage:
This has gone unnoticed in tests because if the DAST scan action references a non-existent DAST site/scanner profile, an error_script
job is executed instead, which does not run in the dast
stage.
This MR fixes this by injecting the stage.
Screenshots or screen recordings
type: schedule
with DAST profiles present
type: schedule
without DAST profiles present
type: pipeline
with DAST profiles present
type: pipeline
without DAST profiles present
How to set up and validate locally
type: schedule
policies
Validate - Create a new project
- Navigate to Security & Compliance > Configuration and under "DAST", click the "DAST profiles" button
- Create a scanner profile "scanner-profile"
- Create a site profile "site-profile"
- Navigate to Security & Compliance > Policies
- Create a new policy from the following contents:
scan_execution_policy:
name: foobar
description: foobar
enabled: true
actions:
- scan: dast
scanner_profile: scanner-profile
site_profile: site-profile
- scan: container_scanning
rules:
- type: schedule
cadence: "*/30 * * * *"
branches:
- main
- Merge the resulting policy MR
- Create a new file with the following contents, eg.
schedule.rb
:
schedule = Security::OrchestrationPolicyRuleSchedule.last
project = schedule.security_orchestration_policy_configuration.project
current_user = schedule.owner
Security::SecurityOrchestrationPolicies::RuleScheduleService.new(container: project, current_user: current_user).execute(schedule)
- Execute it:
bin/rails runner schedule.rb
- Navigate to CI/CD > Pipelines
- Verify that the
dast-on-demand-0
job was created in thedast
stage
type: pipeline
policies
Validate - In the previously created project, navigate to Security & Compliance > Policies
- Update the existing policy with the following contents:
scan_execution_policy:
name: foobar
description: foobar
enabled: true
actions:
- scan: dast
scanner_profile: scanner-profile
site_profile: site-profile
- scan: container_scanning
rules:
- type: pipeline
branches:
- main
- Commit the following
.gitlab-ci.yml
to themain
branch:
dummy_job:
stage: test
script: ":" # no-op
- Verify that the
dast-on-demand-0
job was created in thedast
stage
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Dominic Bauer