Skip to content

Resolve "Create X-Ray scanner uploader job"

Allen Cook requested to merge 432235-create-x-ray-scanner-uploader-job into master

What does this MR do and why?

Adds a CI/CD report and uploader for the Repository X-Ray project.

  • Users can now scan and upload repository x-ray results with the repository_xray report type
  • The docker image for the xray repo is used to scan the source code, then the results are uploaded as a job artifact of repository_xray type
  • After that succeeds, the StoreRepositoryXrayWorker and StoreRepositoryXrayService will parse and store the artifacts as a new Projects::XrayReport model, which is a JSON payload
  • Currently the Xray report only has dependency library information, but will be updated over time to include more
  • Repository Xray scanner only supports ruby, javascript and go right now

Screenshots or screen recordings

Example CI/CD

xray:
  stage: build
  image: registry.gitlab.com/gitlab-org/code-creation/repository-x-ray:latest
  allow_failure: true
  script:
  - x-ray-scan -p "$CI_PROJECT_DIR"
  artifacts:
    reports:
      repository_xray: reports/**/*.json

Migration Output

How to set up and validate locally

  1. Setup a new project (or use an existing one)
  2. Create a code suggestions service token in the rails console for cloud connection FactoryBot.create(:service_access_token, :active)
  3. Create a code suggestions addon subscription for the namespace of the project in the rails console GitlabSubscriptions::AddOnPurchase.for_code_suggestions.create(namespace_id: PROJECT_NAMESPACE_ID, quantity: 5, purchase_xid: "NOT REAL", expires_on: DateTime.now + 2.years)
  4. Add a job using the example template above
  5. Wait for the job to complete (may take a while on large repos)
  6. Check for the output via rails console (i.e. Projects::XrayReport.where(project_id: PROJECT_ID)
  7. There should be results saved for supported languages (ruby, javascript and go)

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #432235 (closed)

Edited by Allen Cook

Merge request reports