Skip to content

Enhance Security configuration response with features

Aditya Tiwari requested to merge 342600-enhance-security-config into master

What does this MR do and why?

Enhance Security configuration response with features

Enhance Security configuration response with more info about features Replaces constants in constant.js

Changelog: added

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Output

Click to expand

{:auto_devops_enabled=>nil,
 :auto_devops_help_page_path=>"/help/topics/autodevops/index",
 :auto_devops_path=>"/namespace1/project-1/-/settings/ci_cd#autodevops-settings",
 :can_enable_auto_devops=>false,
 :features=>
  [{:type=>:sast,
    :configured=>false,
    :configuration_path=>nil,
    :available=>true,
    :can_enable_by_merge_request=>true,
    :meta_info_path=>nil,
    :on_demand_available=>false,
    :security_features=>
     {:name=>"Static Application Security Testing (SAST)",
      :short_name=>"SAST",
      :description=>"Analyze your source code for known vulnerabilities.",
      :help_path=>"/help/user/application_security/sast/index",
      :config_help_path=>"/help/user/application_security/sast/index#configuration",
      :type=>"sast"}},
   {:type=>:sast_iac,
    :configured=>false,
    :configuration_path=>nil,
    :available=>true,
    :can_enable_by_merge_request=>true,
    :meta_info_path=>nil,
    :on_demand_available=>false,
    :security_features=>
     {:name=>"Infrastructure as Code (IaC) Scanning",
      :short_name=>"ciReport|SAST IaC",
      :description=>"Analyze your infrastructure as code configuration files for known vulnerabilities.",
      :help_path=>"/help/user/application_security/iac_scanning/index",
      :config_help_path=>"/help/user/application_security/iac_scanning/index#configuration",
      :type=>"sast_iac"}},
   {:type=>:breach_and_attack_simulation,
    :configured=>false,
    :configuration_path=>nil,
    :available=>false,
    :can_enable_by_merge_request=>false,
    :meta_info_path=>nil,
    :on_demand_available=>false,
    :security_features=>
     {:anchor=>"bas",
      :badge=>
       {:always_display=>true,
        :text=>"SecurityConfiguration|Incubating feature",
        :tooltip_text=>
         "SecurityConfiguration|Breach and Attack Simulation is an incubating feature extending existing security testing by simulating
adversary activity.",
        :variant=>"info"},
      :description=>
       "SecurityConfiguration|Simulate breach and attack scenarios against your running application by attempting to detect and exploit
known vulnerabilities.",
      :name=>"SecurityConfiguration|Breach and Attack Simulation (BAS)",
      :help_path=>"/help/user/application_security/breach_and_attack_simulation/index",
      :secondary=>
       {:config_help_path=>
         "/help/user/application_security/breach_and_attack_simulation/index#extend-dynamic-application-security-testing-dast",
        :description=>
         "SecurityConfiguration|Enable incubating Breach and Attack Simulation focused features such as callback attacks in your DAST sc
ans.",
        :name=>"SecurityConfiguration|Out-of-Band Application Security Testing (OAST)"},
      :short_name=>"SecurityConfiguration|BAS",
      :type=>"breach_and_attack_simulation"}},
   {:type=>:dast,
    :configured=>false,
    :configuration_path=>nil,
    :available=>false,
    :can_enable_by_merge_request=>false,
    :meta_info_path=>nil,
    :on_demand_available=>true,
    :security_features=>
     {:badge=>
       {:text=>"Available on demand",
        :tooltip_text=>"On-demand scans run outside of the DevOps cycle and find vulnerabilities in your projects",
        :variant=>"info"},
      :secondary=>
       {:type=>"dast_profiles",
        :name=>"DAST profiles",
        :description=>"SecurityConfiguration|Manage profiles for use by DAST scans.",
        :configuration_text=>"SecurityConfiguration|Manage profiles"},
      :name=>"Dynamic Application Security Testing (DAST)",
      :short_name=>"ciReport|DAST",
      :description=>
       "ciReport|Analyze a deployed version of your web application for known vulnerabilities by examining it from the outside in. DAST
works by simulating external attacks on your application while it is running.",
      :help_path=>"/help/user/application_security/dast/index",
      :config_help_path=>"/help/user/application_security/dast/index#enable-automatic-dast-run",
      :type=>"dast",
      :anchor=>"dast"}},
   {:type=>:dependency_scanning,
    :configured=>false,
    :configuration_path=>nil,
    :available=>false,
    :can_enable_by_merge_request=>true,
    :meta_info_path=>nil,
    :on_demand_available=>false,
    :security_features=>
     {:name=>"Dependency Scanning",
      :description=>"Analyze your dependencies for known vulnerabilities.",
      :help_path=>"/help/user/application_security/dependency_scanning/index",
      :config_help_path=>"/help/user/application_security/dependency_scanning/index#configuration",
      :type=>"dependency_scanning",
      :anchor=>"dependency-scanning"}},
   {:type=>:container_scanning,
    :configured=>false,
    :configuration_path=>nil,
    :available=>true,
    :can_enable_by_merge_request=>true,
    :meta_info_path=>nil,
    :on_demand_available=>false,
    :security_features=>
     {:name=>"Container Scanning",
      :description=>"Check your Docker images for known vulnerabilities.",
      :help_path=>"/help/user/application_security/container_scanning/index",
      :config_help_path=>"/help/user/application_security/container_scanning/index#configuration",
      :type=>"container_scanning"}},
   {:type=>:secret_detection,
    :configured=>false,
    :configuration_path=>nil,
    :available=>true,
    :can_enable_by_merge_request=>true,
    :meta_info_path=>nil,
    :on_demand_available=>false,
    :security_features=>
     {:name=>"Secret Detection",
      :description=>"Analyze your source code and git history for secrets.",
      :help_path=>"/help/user/application_security/secret_detection/index",
      :config_help_path=>"/help/user/application_security/secret_detection/index#configuration",
      :type=>"secret_detection"}},
   {:type=>:coverage_fuzzing,
    :configured=>false,
    :configuration_path=>nil,
    :available=>false,
    :can_enable_by_merge_request=>false,
    :meta_info_path=>nil,
    :on_demand_available=>false,
    :security_features=>
     {:name=>"Coverage Fuzzing",
      :description=>"Find bugs in your code with coverage-guided fuzzing.",
      :help_path=>"/help/user/application_security/coverage_fuzzing/index",
      :config_help_path=>"/help/user/application_security/coverage_fuzzing/index#enable-coverage-guided-fuzz-testing",
      :type=>"coverage_fuzzing",
      :secondary=>
       {:type=>"corpus_management",
        :name=>"Corpus Management",
        :description=>"SecurityConfiguration|Manage corpus files used as seed inputs with coverage-guided fuzzing.",
        :configuration_text=>"SecurityConfiguration|Manage corpus"}}},
   {:type=>:api_fuzzing,
    :configured=>false,
    :configuration_path=>nil,
    :available=>false,
    :can_enable_by_merge_request=>false,
    :meta_info_path=>nil,
    :on_demand_available=>false,
    :security_features=>
     {:name=>"API Fuzzing",
      :description=>"Find bugs in your code with API fuzzing.",
      :help_path=>"/help/user/application_security/api_fuzzing/index",
      :type=>"api_fuzzing"}},
   {:type=>:cluster_image_scanning,
    :configured=>false,
    :configuration_path=>nil,
    :available=>false,
    :can_enable_by_merge_request=>false,
    :meta_info_path=>nil,
    :on_demand_available=>false,
    :security_features=>{}},
   {:type=>:license_scanning,
    :configured=>false,
    :configuration_path=>nil,
    :available=>false,
    :can_enable_by_merge_request=>false,
    :meta_info_path=>nil,
    :on_demand_available=>false,
    :security_features=>{}},
   {:type=>:corpus_management,
    :configured=>true,
    :configuration_path=>nil,
    :available=>false,
    :can_enable_by_merge_request=>false,
    :meta_info_path=>nil,
    :on_demand_available=>false,
    :security_features=>{}},
   {:type=>:dast_profiles,
    :configured=>true,
    :configuration_path=>nil,
    :available=>false,
    :can_enable_by_merge_request=>false,
    :meta_info_path=>nil,
    :on_demand_available=>false,
    :security_features=>{}}],
 :help_page_path=>"/help/user/application_security/index",
 :latest_pipeline_path=>"/help/ci/pipelines/index",
 :gitlab_ci_present=>false,
 :gitlab_ci_history_path=>"",
 :auto_fix_enabled=>{:dependency_scanning=>true, :container_scanning=>true},
 :can_toggle_auto_fix_settings=>false,
 :auto_fix_user_path=>"/",
 :security_training_enabled=>false,
 :continuous_vulnerability_scans_enabled=>false}

How to set up and validate locally

Pull the branch and hit the ConfigurationController#show to view the response.

Related to #342600 (closed)

Edited by Aditya Tiwari

Merge request reports

Loading