diff --git a/ee/spec/lib/gitlab/ci/templates/secure_binaries_ci_yaml_spec.rb b/ee/spec/lib/gitlab/ci/templates/secure_binaries_ci_yaml_spec.rb
index 20b43261a2b6c39faa0e1e45eacf2af63d9a04da..0d055daffb68afa0d5d0a11aa76ccc5b8086b721 100644
--- a/ee/spec/lib/gitlab/ci/templates/secure_binaries_ci_yaml_spec.rb
+++ b/ee/spec/lib/gitlab/ci/templates/secure_binaries_ci_yaml_spec.rb
@@ -9,6 +9,136 @@
specify { expect(template).not_to be_nil }
+ describe 'template content' do
+ let(:secure_binaries) { YAML.safe_load(template.content) }
+ let(:secure_binaries_analyzers) { secure_binaries["variables"]["SECURE_BINARIES_ANALYZERS"].split(%r{\s*,\s*}) }
+ let(:secure_analyzers_prefix) { secure_binaries["variables"]["SECURE_ANALYZERS_PREFIX"] }
+
+ context 'when compared to DAST-API template' do
+ let(:dast_api_template) { Gitlab::Template::GitlabCiYmlTemplate.find('DAST-API') }
+ let(:dast_api) { YAML.safe_load(dast_api_template.content) }
+ let(:dast_api_image_prefix) { dast_api["variables"]["SECURE_ANALYZERS_PREFIX"] }
+ let(:dast_api_image_version) { dast_api["variables"]["DAST_API_VERSION"] }
+ let(:dast_api_image_name) { dast_api["variables"]["DAST_API_IMAGE"] }
+
+ it 'includes the same DAST API image prefix' do
+ expect(secure_analyzers_prefix).to eq(dast_api_image_prefix)
+ end
+
+ it 'includes the DAST API image name in secure binary analyzers' do
+ expect(secure_binaries_analyzers).to include(dast_api_image_name)
+ end
+
+ it 'includes a job named after the DAST API image name' do
+ expect(secure_binaries.has_key?(dast_api_image_name)).to be true
+ end
+
+ it 'includes the same DAST API image version' do
+ version = secure_binaries[dast_api_image_name]["variables"]["SECURE_BINARIES_ANALYZER_VERSION"]
+ expect(version).to eq(dast_api_image_version)
+ end
+
+ it 'filters the secure binary analyzers by the DAST API image name' do
+ only_variables = secure_binaries[dast_api_image_name]["only"]["variables"][0]
+ filter_expr = "$SECURE_BINARIES_ANALYZERS =~ /\\b#{dast_api_image_name}\\b/"
+ expect(only_variables).to include(filter_expr)
+ end
+ end
+
+ context 'when compared to DAST-API.latest template' do
+ let(:dast_api_latest_template) { Gitlab::Template::GitlabCiYmlTemplate.find('DAST-API.latest') }
+ let(:dast_api_latest) { YAML.safe_load(dast_api_latest_template.content) }
+ let(:dast_api_latest_image_prefix) { dast_api_latest["variables"]["SECURE_ANALYZERS_PREFIX"] }
+ let(:dast_api_latest_image_version) { dast_api_latest["variables"]["DAST_API_VERSION"] }
+ let(:dast_api_latest_image_name) { dast_api_latest["variables"]["DAST_API_IMAGE"] }
+
+ it 'includes the same DAST API image prefix' do
+ expect(secure_analyzers_prefix).to eq(dast_api_latest_image_prefix)
+ end
+
+ it 'includes the DAST API image name in secure binary analyzers' do
+ expect(secure_binaries_analyzers).to include(dast_api_latest_image_name)
+ end
+
+ it 'includes a job named after the DAST API image name' do
+ expect(secure_binaries.has_key?(dast_api_latest_image_name)).to be true
+ end
+
+ it 'includes the same DAST API image version' do
+ version = secure_binaries[dast_api_latest_image_name]["variables"]["SECURE_BINARIES_ANALYZER_VERSION"]
+ expect(version).to eq(dast_api_latest_image_version)
+ end
+
+ it 'filters the secure binary analyzers by the DAST API image name' do
+ only_variables = secure_binaries[dast_api_latest_image_name]["only"]["variables"][0]
+ filter_expr = "$SECURE_BINARIES_ANALYZERS =~ /\\b#{dast_api_latest_image_name}\\b/"
+ expect(only_variables).to include(filter_expr)
+ end
+ end
+
+ context 'when compared to API-Fuzzing template' do
+ let(:api_fuzzing_template) { Gitlab::Template::GitlabCiYmlTemplate.find('API-Fuzzing') }
+ let(:api_fuzzing) { YAML.safe_load(api_fuzzing_template.content) }
+ let(:api_fuzzing_image_prefix) { api_fuzzing["variables"]["SECURE_ANALYZERS_PREFIX"] }
+ let(:api_fuzzing_image_version) { api_fuzzing["variables"]["FUZZAPI_VERSION"] }
+ let(:api_fuzzing_image_name) { api_fuzzing["variables"]["FUZZAPI_IMAGE"] }
+
+ it 'includes the same API Fuzzing image prefix' do
+ expect(secure_analyzers_prefix).to eq(api_fuzzing_image_prefix)
+ end
+
+ it 'includes the API Fuzzing image name in secure binary analyzers' do
+ expect(secure_binaries_analyzers).to include(api_fuzzing_image_name)
+ end
+
+ it 'includes a job named after the API Fuzzing image name' do
+ expect(secure_binaries.has_key?(api_fuzzing_image_name)).to be true
+ end
+
+ it 'includes the same API Fuzzing image version' do
+ version = secure_binaries[api_fuzzing_image_name]["variables"]["SECURE_BINARIES_ANALYZER_VERSION"]
+ expect(version).to eq(api_fuzzing_image_version)
+ end
+
+ it 'filters the secure binary analyzers by the API Fuzzing image name' do
+ only_variables = secure_binaries[api_fuzzing_image_name]["only"]["variables"][0]
+ filter_expr = "$SECURE_BINARIES_ANALYZERS =~ /\\b#{api_fuzzing_image_name}\\b/"
+ expect(only_variables).to include(filter_expr)
+ end
+ end
+
+ context 'when compared to API-Fuzzing.latest template' do
+ let(:api_fuzzing_latest_template) { Gitlab::Template::GitlabCiYmlTemplate.find('API-Fuzzing.latest') }
+ let(:api_fuzzing_latest) { YAML.safe_load(api_fuzzing_latest_template.content) }
+ let(:api_fuzzing_latest_image_prefix) { api_fuzzing_latest["variables"]["SECURE_ANALYZERS_PREFIX"] }
+ let(:api_fuzzing_latest_image_version) { api_fuzzing_latest["variables"]["FUZZAPI_VERSION"] }
+ let(:api_fuzzing_latest_image_name) { api_fuzzing_latest["variables"]["FUZZAPI_IMAGE"] }
+
+ it 'includes the same API Fuzzing image prefix' do
+ expect(secure_analyzers_prefix).to eq(api_fuzzing_latest_image_prefix)
+ end
+
+ it 'includes the API Fuzzing image name in secure binary analyzers' do
+ expect(secure_binaries_analyzers).to include(api_fuzzing_latest_image_name)
+ end
+
+ it 'includes a job named after the API Fuzzing image name' do
+ expect(secure_binaries.has_key?(api_fuzzing_latest_image_name)).to be true
+ end
+
+ it 'includes the same API Fuzzing image version' do
+ version = secure_binaries[api_fuzzing_latest_image_name]["variables"]["SECURE_BINARIES_ANALYZER_VERSION"]
+ expect(version).to eq(api_fuzzing_latest_image_version)
+ end
+
+ it 'filters the secure binary analyzers by the API Fuzzing image name' do
+ only_variables = secure_binaries[api_fuzzing_latest_image_name]["only"]["variables"][0]
+ filter_expr = "$SECURE_BINARIES_ANALYZERS =~ /\\b#{api_fuzzing_latest_image_name}\\b/"
+ expect(only_variables).to include(filter_expr)
+ end
+ end
+ end
+
describe 'the created pipeline' do
let_it_be(:project) { create(:project, :custom_repo, files: { 'README.txt' => '' }) }
@@ -60,5 +190,19 @@
end
end
end
+
+ describe 'api-security' do
+ let_it_be(:build_name) { 'api-security' }
+ let_it_be(:version) { 2 }
+
+ it_behaves_like 'an offline image download job' do
+ it 'sets SECURE_BINARIES_ANALYZER_VERSION explicitly' do
+ api_security_analyzer_version = "2"
+
+ expect(build.variables.to_hash).to include(
+ 'SECURE_BINARIES_ANALYZER_VERSION' => api_security_analyzer_version)
+ end
+ end
+ end
end
end
diff --git a/lib/gitlab/ci/templates/Security/Secure-Binaries.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/Secure-Binaries.gitlab-ci.yml
index b34bfe2a53c41b0363c3c71c7de19e6cd24f6f4e..c414e70bfa3f4d4a2cb9a02f2172bae5745a419d 100644
--- a/lib/gitlab/ci/templates/Security/Secure-Binaries.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/Secure-Binaries.gitlab-ci.yml
@@ -20,7 +20,7 @@ variables:
SECURE_BINARIES_ANALYZERS: >-
bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, secrets, sobelow, pmd-apex, kics, kubesec, semgrep, gemnasium, gemnasium-maven, gemnasium-python,
license-finder,
- dast, dast-runner-validation, api-fuzzing
+ dast, dast-runner-validation, api-security
SECURE_BINARIES_DOWNLOAD_IMAGES: "true"
SECURE_BINARIES_PUSH_IMAGES: "true"
@@ -252,11 +252,11 @@ dast-runner-validation:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bdast-runner-validation\b/
-api-fuzzing:
+api-security:
extends: .download_images
variables:
- SECURE_BINARIES_ANALYZER_VERSION: "1"
+ SECURE_BINARIES_ANALYZER_VERSION: "2"
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
- $SECURE_BINARIES_ANALYZERS =~ /\bapi-fuzzing\b/
+ $SECURE_BINARIES_ANALYZERS =~ /\bapi-security\b/