Skip to content

Inject `dast` stage into on-demand scan execution policy scans

What does this MR do and why?

Fixes a bug that causes DAST scans scheduled by scan execution policies not to execute.

The reason is that the DAST analyzer runs as part of the dast stage. However the CI configuration assembled by scan execution policies for DAST does not include this stage.

This leads to the scan job not executing due to the missing stage:

This has gone unnoticed in tests because if the DAST scan action references a non-existent DAST site/scanner profile, an error_script job is executed instead, which does not run in the dast stage.

This MR fixes this by injecting the stage.

Screenshots or screen recordings

type: schedule with DAST profiles present

schedule_with_profile

type: schedule without DAST profiles present

schedule_without_profile

type: pipeline with DAST profiles present

pipeline_with_profile

type: pipeline without DAST profiles present

pipeline_without_profile

How to set up and validate locally

Validate type: schedule policies

  1. Create a new project
  2. Navigate to Security & Compliance > Configuration and under "DAST", click the "DAST profiles" button
  • Create a scanner profile "scanner-profile"
  • Create a site profile "site-profile"
  1. Navigate to Security & Compliance > Policies
  2. Create a new policy from the following contents:
scan_execution_policy:
name: foobar
description: foobar
enabled: true
actions:
- scan: dast
  scanner_profile: scanner-profile
  site_profile: site-profile
- scan: container_scanning
rules:
- type: schedule
  cadence: "*/30 * * * *"
  branches:
  - main
  1. Merge the resulting policy MR
  2. Create a new file with the following contents, eg. schedule.rb:
schedule = Security::OrchestrationPolicyRuleSchedule.last
project = schedule.security_orchestration_policy_configuration.project
current_user = schedule.owner
Security::SecurityOrchestrationPolicies::RuleScheduleService.new(container: project, current_user: current_user).execute(schedule)
  1. Execute it: bin/rails runner schedule.rb
  2. Navigate to CI/CD > Pipelines
  3. Verify that the dast-on-demand-0 job was created in the dast stage

Validate type: pipeline policies

  1. In the previously created project, navigate to Security & Compliance > Policies
  2. Update the existing policy with the following contents:
scan_execution_policy:
name: foobar
description: foobar
enabled: true
actions:
- scan: dast
  scanner_profile: scanner-profile
  site_profile: site-profile
- scan: container_scanning
rules:
- type: pipeline
  branches:
  - main
  1. Commit the following .gitlab-ci.yml to the main branch:
dummy_job:
  stage: test
  script: ":" # no-op
  1. Verify that the dast-on-demand-0 job was created in the dast stage

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Dominic Bauer

Merge request reports

Loading