Skip to content

Add button to Security Configuration to enable SAST scanning

What does this MR do?

Add button to enable SAST scanning

This adds a button to the Security Configuration page, allowing the user to enable SAST scanning via a merge request with a simple click. This button is only displayed when:

  1. The sast_configuration_by_click feature flag is enabled.
  2. The project does not have an existing .gitlab-ci.yml file.

Some other changes include (and are not behind any feature flag):

  • Add third status text string for when Auto DevOps is enabled.
  • Add third column headed "Manage" to the Security Configuration table, which contains a link to that scanner's documentation. This is where the button appears in the SAST case when the sast_configuration_by_click feature flag is enabled.
  • Extract thClass constant in app component.
  • Do not guard the SASTConfigurationController#create action behind the sast_configuration_ui feature flag. This feature flag is intended for a future iteration when an actual configuration UI exists for SAST, which is what that controller is actually for. In this iteration, it's simply a placeholder for the temporary REST endpoint, which will be replaced by a GraphQL mutation in another iteration.

This is an MVC for creating a Configuration UI for SAST. Some technical debt has been incurred here:

  1. The REST (POST) endpoint used to create the merge request will be replaced by a GraphQL mutation.
  2. The type of each feature has been added to the security configuration features exposed to the fronted. This should be replaced by a field exposing the scanner's configuration UI path (or similar).
  3. The CreateMergeRequestButton component will likely be removed in the next iteration of the SAST Configuration UI, particularly if the GraphQL mutation is ready by then.

Addresses #220573 (closed), part of Configuration UI for SAST.

Screenshots

sast_configuration_by_click disabled

Before After
security_configuration_page_v13_1 security_configuration_page_v13_2

sast_configuration_by_click enabled

Auto DevOps disabled Auto DevOps enabled
Screenshot_from_2020-07-13_19-06-10 Screenshot_from_2020-07-13_19-05-51

Demo video demonstrating redirection to new MR page

(Follow the Testing locally steps to reproduce this.)

ADO_disabled

Testing locally

  1. Enable the sast_configuration_by_click feature flag
  2. Merge in the backend work from !36225 (merged)
  3. Navigate to the Security Configuration page for a project which does not have a .gitlab-ci.yml file in its repository.

Note: This MR is not blocked by !36225 (merged), since the parts that depend on it are hidden behind the sast_configuration_by_click feature flag.

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Edited by Mark Florian

Merge request reports

Loading