[go: up one dir, main page]

Fix inconsistency in variable names for security scanners, leading to unexpected behavior.

Olivier Duprérequested to merge
patch-security-templates-odupre into master

What does this MR do and why?

How to set up and validate locally

  1. Start GitLab with GDK in an air-gap environment
  2. Setup a project, group or instance level variable: SECURE_ANALYZERS_PREFIX pointing to a personal registry. eg: registry.gitlab.local
  3. Copy the GitLab scanner images (SAST, SAST IaC, DAST, DAST Validation, DAST API & Fuzz API, Container Scanning, Dependency Scanning, Secret Detection) to this registry
GITLAB_REGISTRY="registry.gitlab.com/security-products"
AIRGAP_REGISTRY="registry.gitlab.local"

SECURITY_SCANNERS=("gitlab-advanced-sast:2" "kics:6" "dast:6" "dast-runner-validation:1" "api-security:6" "container-scanning:8" "dependency-scanning:v0" "secrets:7")

for scanner in "${SECURITY_SCANNERS[@]}"; do
    echo "Processing: $scanner"
    docker pull $GITLAB_REGISTRY/"$scanner"
    docker tag $GITLAB_REGISTRY/"$scanner" $AIRGAP_REGISTRY/"$scanner"
    docker push $AIRGAP_REGISTRY/"$scanner"
done
  1. Setup a DAST Site profile and trigger the Site validation
  2. Setup a GitLab CI pipeline with all the above scanners
  3. Check that both pipelines (Site Validation & regular GitLab CI) have pulled images from the air-gap registry.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

  • You have confirmed that this change is backwards compatible across updates
    • Customers running in air-gap environments have overwritten the CS_ANALYZER_IMAGE to be able to run CS scanner. Changes in this MR will not affect them.
    • Customers running in Self-managed environments who have overwritten SECURE_ANALYZERS_PREFIX to run local SAST or DS scanners are impacted. They must now upload Container Scanning image to their local registry, or set CS_ANALYZER_IMAGE to use registry.gitlab.com
      • This only applies to self-managed customers who are simultaneously running SAST, SD or DS scanners using local registry and Container Scanning using GitLab.com registry.
    • Customers running in air-gap environments cannot run DAST Site validation has the registry is hard-coded. Changes in this MR are opening a new opportunity to run this validation and so, run DAST-on demand in these environments.

Merge request reports