From a9de6dd13b47c3c03f1376ffec1e21604792b338 Mon Sep 17 00:00:00 2001 From: "Alan (Maciej) Paruszewski" Date: Tue, 10 Jun 2025 09:23:41 +0200 Subject: [PATCH 1/8] Add SAST Partial Scan to false and support for inputs in SEP EE: true --- .../ci_action/template.rb | 23 ++++++++++++++++--- .../scan_pipeline_service.rb | 6 +++-- 2 files changed, 24 insertions(+), 5 deletions(-) diff --git a/ee/app/services/security/security_orchestration_policies/ci_action/template.rb b/ee/app/services/security/security_orchestration_policies/ci_action/template.rb index 79feaa90bd3b8a..1e587b45bee43f 100644 --- a/ee/app/services/security/security_orchestration_policies/ci_action/template.rb +++ b/ee/app/services/security/security_orchestration_policies/ci_action/template.rb @@ -13,6 +13,14 @@ class Template < Base }.freeze EXCLUDED_VARIABLES_PATTERNS = %w[_DISABLED].freeze LATEST_TEMPLATE_TYPE = 'latest' + DEFAULT_INPUTS = { + 'sast' => { + 'input1' => 'example' + }, + 'sast_iac' => { + 'input2' => 'example' + } + }.freeze def self.scan_template_path(scan_type, latest) scan_template_ci_path = CiAction::Template::SCAN_TEMPLATES[scan_type] @@ -22,7 +30,7 @@ def self.scan_template_path(scan_type, latest) end def config - ci_configuration = template_ci_configuration(@action[:scan]) + ci_configuration = template_ci_configuration(@action[:scan], @action[:inputs]) variables = merge_variables(ci_configuration.delete(:variables), @ci_variables) ci_configuration.reject! { |job_name, _| hidden_job?(job_name) } @@ -41,8 +49,17 @@ def config private - def template_ci_configuration(scan_type) - @opts[:template_cache].fetch(scan_type, latest: use_latest_template?) + # In case you want to allow users to define inputs in the future in Scan Execution Policies, + # you could fetch them from action hash and provide them here + def template_ci_configuration(scan_type, action_inputs) + ci_configuration_template = @opts[:template_cache].fetch(scan_type, template: scan_template) + return ci_configuration_template unless ci_configuration_template.include?(:spec) + + # Optional if you want to allow users to define inputs in SEP policy + template_inputs = (DEFAULT_INPUTS[scan_type] || {}).merge(action_inputs.to_h) + Gitlab::Ci::Config::Interpolation::Template + .new(ci_configuration_template, { inputs: template_inputs }) + .interpolated end def use_latest_template? diff --git a/ee/app/services/security/security_orchestration_policies/scan_pipeline_service.rb b/ee/app/services/security/security_orchestration_policies/scan_pipeline_service.rb index abfdf0aa1e5419..669c026a20ca2c 100644 --- a/ee/app/services/security/security_orchestration_policies/scan_pipeline_service.rb +++ b/ee/app/services/security/security_orchestration_policies/scan_pipeline_service.rb @@ -21,11 +21,13 @@ class ScanPipelineService sast: { 'DEFAULT_SAST_EXCLUDED_PATHS' => 'spec, test, tests, tmp', 'SAST_EXCLUDED_PATHS' => '$DEFAULT_SAST_EXCLUDED_PATHS', - 'SAST_EXCLUDED_ANALYZERS' => '' + 'SAST_EXCLUDED_ANALYZERS' => '', + 'SAST_PARTIAL_SCAN' => 'false' }, sast_iac: { 'SAST_EXCLUDED_PATHS' => 'spec, test, tests, tmp', - 'SAST_EXCLUDED_ANALYZERS' => '' + 'SAST_EXCLUDED_ANALYZERS' => '', + 'SAST_PARTIAL_SCAN' => 'false' } }.freeze -- GitLab From 88ecbf91806fee8ff484b937cd86cd7f8d9cdc33 Mon Sep 17 00:00:00 2001 From: "Alan (Maciej) Paruszewski" Date: Tue, 24 Jun 2025 08:11:34 +0200 Subject: [PATCH 2/8] Apply 1 suggestion(s) to 1 file(s) --- .../security_orchestration_policies/ci_action/template.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ee/app/services/security/security_orchestration_policies/ci_action/template.rb b/ee/app/services/security/security_orchestration_policies/ci_action/template.rb index 1e587b45bee43f..160153bcf50c95 100644 --- a/ee/app/services/security/security_orchestration_policies/ci_action/template.rb +++ b/ee/app/services/security/security_orchestration_policies/ci_action/template.rb @@ -52,7 +52,7 @@ def config # In case you want to allow users to define inputs in the future in Scan Execution Policies, # you could fetch them from action hash and provide them here def template_ci_configuration(scan_type, action_inputs) - ci_configuration_template = @opts[:template_cache].fetch(scan_type, template: scan_template) + ci_configuration_template = @opts[:template_cache].fetch(scan_type, latest: use_latest_template?) return ci_configuration_template unless ci_configuration_template.include?(:spec) # Optional if you want to allow users to define inputs in SEP policy -- GitLab From dc508c64e891e916fd4475f7478f2fa8cb5d77dd Mon Sep 17 00:00:00 2001 From: smtan Date: Mon, 4 Aug 2025 20:24:44 +0800 Subject: [PATCH 3/8] Remove support for inputs in SEP and add tests --- .../ci_action/template.rb | 23 +++---------------- .../scan_pipeline_service.rb | 3 +-- .../ci_action/template_spec.rb | 3 ++- 3 files changed, 6 insertions(+), 23 deletions(-) diff --git a/ee/app/services/security/security_orchestration_policies/ci_action/template.rb b/ee/app/services/security/security_orchestration_policies/ci_action/template.rb index 160153bcf50c95..79feaa90bd3b8a 100644 --- a/ee/app/services/security/security_orchestration_policies/ci_action/template.rb +++ b/ee/app/services/security/security_orchestration_policies/ci_action/template.rb @@ -13,14 +13,6 @@ class Template < Base }.freeze EXCLUDED_VARIABLES_PATTERNS = %w[_DISABLED].freeze LATEST_TEMPLATE_TYPE = 'latest' - DEFAULT_INPUTS = { - 'sast' => { - 'input1' => 'example' - }, - 'sast_iac' => { - 'input2' => 'example' - } - }.freeze def self.scan_template_path(scan_type, latest) scan_template_ci_path = CiAction::Template::SCAN_TEMPLATES[scan_type] @@ -30,7 +22,7 @@ def self.scan_template_path(scan_type, latest) end def config - ci_configuration = template_ci_configuration(@action[:scan], @action[:inputs]) + ci_configuration = template_ci_configuration(@action[:scan]) variables = merge_variables(ci_configuration.delete(:variables), @ci_variables) ci_configuration.reject! { |job_name, _| hidden_job?(job_name) } @@ -49,17 +41,8 @@ def config private - # In case you want to allow users to define inputs in the future in Scan Execution Policies, - # you could fetch them from action hash and provide them here - def template_ci_configuration(scan_type, action_inputs) - ci_configuration_template = @opts[:template_cache].fetch(scan_type, latest: use_latest_template?) - return ci_configuration_template unless ci_configuration_template.include?(:spec) - - # Optional if you want to allow users to define inputs in SEP policy - template_inputs = (DEFAULT_INPUTS[scan_type] || {}).merge(action_inputs.to_h) - Gitlab::Ci::Config::Interpolation::Template - .new(ci_configuration_template, { inputs: template_inputs }) - .interpolated + def template_ci_configuration(scan_type) + @opts[:template_cache].fetch(scan_type, latest: use_latest_template?) end def use_latest_template? diff --git a/ee/app/services/security/security_orchestration_policies/scan_pipeline_service.rb b/ee/app/services/security/security_orchestration_policies/scan_pipeline_service.rb index 669c026a20ca2c..9aae2aadc29fc4 100644 --- a/ee/app/services/security/security_orchestration_policies/scan_pipeline_service.rb +++ b/ee/app/services/security/security_orchestration_policies/scan_pipeline_service.rb @@ -26,8 +26,7 @@ class ScanPipelineService }, sast_iac: { 'SAST_EXCLUDED_PATHS' => 'spec, test, tests, tmp', - 'SAST_EXCLUDED_ANALYZERS' => '', - 'SAST_PARTIAL_SCAN' => 'false' + 'SAST_EXCLUDED_ANALYZERS' => '' } }.freeze diff --git a/ee/spec/services/security/security_orchestration_policies/ci_action/template_spec.rb b/ee/spec/services/security/security_orchestration_policies/ci_action/template_spec.rb index 3e45ce380a6e7f..3a70a474d5862a 100644 --- a/ee/spec/services/security/security_orchestration_policies/ci_action/template_spec.rb +++ b/ee/spec/services/security/security_orchestration_policies/ci_action/template_spec.rb @@ -266,7 +266,8 @@ 'SAST_EXCLUDED_ANALYZERS' => '', 'DEFAULT_SAST_EXCLUDED_PATHS' => 'spec, test, tests, tmp', 'SAST_EXCLUDED_PATHS' => '$DEFAULT_SAST_EXCLUDED_PATHS', - 'SCAN_KUBERNETES_MANIFESTS' => 'false' + 'SCAN_KUBERNETES_MANIFESTS' => 'false', + 'SAST_PARTIAL_SCAN' => 'false' } expect(config[:variables]).to be_nil -- GitLab From d0fcd8bd2efc6533ae581e2dd1563b7c8497500b Mon Sep 17 00:00:00 2001 From: smtan Date: Tue, 5 Aug 2025 11:36:54 +0800 Subject: [PATCH 4/8] Update env var name --- .../security_orchestration_policies/scan_pipeline_service.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ee/app/services/security/security_orchestration_policies/scan_pipeline_service.rb b/ee/app/services/security/security_orchestration_policies/scan_pipeline_service.rb index 9aae2aadc29fc4..6eedd17acd8c55 100644 --- a/ee/app/services/security/security_orchestration_policies/scan_pipeline_service.rb +++ b/ee/app/services/security/security_orchestration_policies/scan_pipeline_service.rb @@ -22,7 +22,7 @@ class ScanPipelineService 'DEFAULT_SAST_EXCLUDED_PATHS' => 'spec, test, tests, tmp', 'SAST_EXCLUDED_PATHS' => '$DEFAULT_SAST_EXCLUDED_PATHS', 'SAST_EXCLUDED_ANALYZERS' => '', - 'SAST_PARTIAL_SCAN' => 'false' + 'ADVANCED_SAST_PARTIAL_SCAN' => 'false' }, sast_iac: { 'SAST_EXCLUDED_PATHS' => 'spec, test, tests, tmp', -- GitLab From 2717e8968b7c17e8ef57afca150a65c17830db95 Mon Sep 17 00:00:00 2001 From: Shao Ming Tan Date: Wed, 6 Aug 2025 14:53:29 +0800 Subject: [PATCH 5/8] Apply 1 suggestion(s) to 1 file(s) Co-authored-by: Alan (Maciej) Paruszewski --- .../security_orchestration_policies/ci_action/template_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ee/spec/services/security/security_orchestration_policies/ci_action/template_spec.rb b/ee/spec/services/security/security_orchestration_policies/ci_action/template_spec.rb index 3a70a474d5862a..70847440f0c364 100644 --- a/ee/spec/services/security/security_orchestration_policies/ci_action/template_spec.rb +++ b/ee/spec/services/security/security_orchestration_policies/ci_action/template_spec.rb @@ -267,7 +267,7 @@ 'DEFAULT_SAST_EXCLUDED_PATHS' => 'spec, test, tests, tmp', 'SAST_EXCLUDED_PATHS' => '$DEFAULT_SAST_EXCLUDED_PATHS', 'SCAN_KUBERNETES_MANIFESTS' => 'false', - 'SAST_PARTIAL_SCAN' => 'false' + 'ADVANCED_SAST_PARTIAL_SCAN' => 'false' } expect(config[:variables]).to be_nil -- GitLab From 645f5bd2bc0efe55cabc829a8b2f5d02a88e1bc9 Mon Sep 17 00:00:00 2001 From: "Alan (Maciej) Paruszewski" Date: Thu, 7 Aug 2025 14:08:18 +0200 Subject: [PATCH 6/8] Fix failing spec --- .../ci_action/template_spec.rb | 3 +-- .../scan_pipeline_service_spec.rb | 6 +++--- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/ee/spec/services/security/security_orchestration_policies/ci_action/template_spec.rb b/ee/spec/services/security/security_orchestration_policies/ci_action/template_spec.rb index 70847440f0c364..3e45ce380a6e7f 100644 --- a/ee/spec/services/security/security_orchestration_policies/ci_action/template_spec.rb +++ b/ee/spec/services/security/security_orchestration_policies/ci_action/template_spec.rb @@ -266,8 +266,7 @@ 'SAST_EXCLUDED_ANALYZERS' => '', 'DEFAULT_SAST_EXCLUDED_PATHS' => 'spec, test, tests, tmp', 'SAST_EXCLUDED_PATHS' => '$DEFAULT_SAST_EXCLUDED_PATHS', - 'SCAN_KUBERNETES_MANIFESTS' => 'false', - 'ADVANCED_SAST_PARTIAL_SCAN' => 'false' + 'SCAN_KUBERNETES_MANIFESTS' => 'false' } expect(config[:variables]).to be_nil diff --git a/ee/spec/services/security/security_orchestration_policies/scan_pipeline_service_spec.rb b/ee/spec/services/security/security_orchestration_policies/scan_pipeline_service_spec.rb index 8d431ef63560bd..bde305f9b7e39e 100644 --- a/ee/spec/services/security/security_orchestration_policies/scan_pipeline_service_spec.rb +++ b/ee/spec/services/security/security_orchestration_policies/scan_pipeline_service_spec.rb @@ -113,12 +113,12 @@ context 'when action contains variables overriding predefined ones' do let(:actions) { [{ scan: 'sast', variables: { SAST_EXCLUDED_ANALYZERS: 'semgrep', 'SAST_EXCLUDED_PATHS' => 'spec, test, tests, tmp, other_location' } }] } - it_behaves_like 'creates scan jobs', pipeline_scan_job_templates: %w[Jobs/SAST], variables: { 'sast-0': { 'DEFAULT_SAST_EXCLUDED_PATHS' => 'spec, test, tests, tmp', 'SAST_EXCLUDED_ANALYZERS' => 'semgrep', 'SAST_EXCLUDED_PATHS' => 'spec, test, tests, tmp, other_location' } } + it_behaves_like 'creates scan jobs', pipeline_scan_job_templates: %w[Jobs/SAST], variables: { 'sast-0': { 'DEFAULT_SAST_EXCLUDED_PATHS' => 'spec, test, tests, tmp', 'SAST_EXCLUDED_ANALYZERS' => 'semgrep', 'SAST_EXCLUDED_PATHS' => 'spec, test, tests, tmp, other_location', 'ADVANCED_SAST_PARTIAL_SCAN' => 'false' } } it 'allows passing variables from the action into configuration service' do expect_next_instance_of(::Security::SecurityOrchestrationPolicies::CiConfigurationService) do |ci_configuration_service| expect(ci_configuration_service).to receive(:execute).once - .with(actions.first, { 'DEFAULT_SAST_EXCLUDED_PATHS' => 'spec, test, tests, tmp', 'SAST_EXCLUDED_ANALYZERS' => 'semgrep', 'SAST_EXCLUDED_PATHS' => 'spec, test, tests, tmp, other_location' }, context, 0).and_call_original + .with(actions.first, { 'DEFAULT_SAST_EXCLUDED_PATHS' => 'spec, test, tests, tmp', 'SAST_EXCLUDED_ANALYZERS' => 'semgrep', 'SAST_EXCLUDED_PATHS' => 'spec, test, tests, tmp, other_location', 'ADVANCED_SAST_PARTIAL_SCAN' => 'false' }, context, 0).and_call_original end subject @@ -172,7 +172,7 @@ it_behaves_like 'creates scan jobs', on_demand_jobs: %i[dast-on-demand-0], pipeline_scan_job_templates: %w[Jobs/Secret-Detection Jobs/Container-Scanning Jobs/SAST], - variables: { 'container-scanning-1': {}, 'dast-on-demand-0': {}, 'sast-2': { 'DEFAULT_SAST_EXCLUDED_PATHS' => 'spec, test, tests, tmp', 'SAST_EXCLUDED_ANALYZERS' => '', 'SAST_EXCLUDED_PATHS' => '$DEFAULT_SAST_EXCLUDED_PATHS' }, 'secret-detection-0': { 'SECRET_DETECTION_HISTORIC_SCAN' => 'false', 'SECRET_DETECTION_EXCLUDED_PATHS' => '' } } + variables: { 'container-scanning-1': {}, 'dast-on-demand-0': {}, 'sast-2': { 'DEFAULT_SAST_EXCLUDED_PATHS' => 'spec, test, tests, tmp', 'SAST_EXCLUDED_ANALYZERS' => '', 'SAST_EXCLUDED_PATHS' => '$DEFAULT_SAST_EXCLUDED_PATHS', 'ADVANCED_SAST_PARTIAL_SCAN' => 'false' }, 'secret-detection-0': { 'SECRET_DETECTION_HISTORIC_SCAN' => 'false', 'SECRET_DETECTION_EXCLUDED_PATHS' => '' } } end context 'when there are valid and invalid actions' do -- GitLab From f972ab4940d58593997c77c93fca85e3d0af6353 Mon Sep 17 00:00:00 2001 From: "Alan (Maciej) Paruszewski" Date: Wed, 1 Oct 2025 10:28:52 +0200 Subject: [PATCH 7/8] Fix failing specs --- .../ci/variables/builder/scan_execution_policies_spec.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/ee/spec/lib/ee/gitlab/ci/variables/builder/scan_execution_policies_spec.rb b/ee/spec/lib/ee/gitlab/ci/variables/builder/scan_execution_policies_spec.rb index 43f277168bb0cf..93d619b2b8c7ee 100644 --- a/ee/spec/lib/ee/gitlab/ci/variables/builder/scan_execution_policies_spec.rb +++ b/ee/spec/lib/ee/gitlab/ci/variables/builder/scan_execution_policies_spec.rb @@ -73,7 +73,8 @@ 'container-scanning-0' | { 'CS_REGISTRY_USER' => 'user' } 'brakeman-sast-1' | { 'SAST_EXCLUDED_ANALYZERS' => 'semgrep', 'SAST_EXCLUDED_PATHS' => '$DEFAULT_SAST_EXCLUDED_PATHS', - 'DEFAULT_SAST_EXCLUDED_PATHS' => 'spec, test, tests, tmp' } + 'DEFAULT_SAST_EXCLUDED_PATHS' => 'spec, test, tests, tmp', + 'ADVANCED_SAST_PARTIAL_SCAN' => 'false' } 'secret-detection-2' | { 'SECRET_DETECTION_HISTORIC_SCAN' => 'true', 'SECRET_DETECTION_EXCLUDED_PATHS' => '' } 'kics-iac-sast-3' | { 'SAST_IMAGE_SUFFIX' => '-fips', @@ -138,7 +139,8 @@ [ item(key: 'DEFAULT_SAST_EXCLUDED_PATHS', value: 'spec, test, tests, tmp'), item(key: 'SAST_EXCLUDED_PATHS', value: '$DEFAULT_SAST_EXCLUDED_PATHS'), - item(key: 'SAST_EXCLUDED_ANALYZERS', value: 'semgrep') + item(key: 'SAST_EXCLUDED_ANALYZERS', value: 'semgrep'), + item(key: 'ADVANCED_SAST_PARTIAL_SCAN', value: 'false') ] end end -- GitLab From 723ffb47acbdf57076e7befd2f3d8a08d19d276a Mon Sep 17 00:00:00 2001 From: "Alan (Maciej) Paruszewski" Date: Thu, 2 Oct 2025 08:26:59 +0200 Subject: [PATCH 8/8] Fix failing specs --- .../create_pipeline_service_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ee/spec/services/security/security_orchestration_policies/create_pipeline_service_spec.rb b/ee/spec/services/security/security_orchestration_policies/create_pipeline_service_spec.rb index 16ce0e5f62b49c..55b123bd8816de 100644 --- a/ee/spec/services/security/security_orchestration_policies/create_pipeline_service_spec.rb +++ b/ee/spec/services/security/security_orchestration_policies/create_pipeline_service_spec.rb @@ -437,7 +437,7 @@ expect_next_instance_of(::Security::SecurityOrchestrationPolicies::CiConfigurationService) do |ci_configuration_service| expect(ci_configuration_service).to receive(:execute).once.with( actions.first, - { 'SAST_EXCLUDED_ANALYZERS' => 'semgrep', 'DEFAULT_SAST_EXCLUDED_PATHS' => 'spec, test, tests, tmp', 'SAST_EXCLUDED_PATHS' => '$DEFAULT_SAST_EXCLUDED_PATHS' }, + { 'ADVANCED_SAST_PARTIAL_SCAN' => 'false', 'SAST_EXCLUDED_ANALYZERS' => 'semgrep', 'DEFAULT_SAST_EXCLUDED_PATHS' => 'spec, test, tests, tmp', 'SAST_EXCLUDED_PATHS' => '$DEFAULT_SAST_EXCLUDED_PATHS' }, kind_of(Gitlab::Ci::Config::External::Context), 0 ).and_call_original end -- GitLab