Merge branch '472663-ignore-default-before-after-script-in-sep' into 'master'

Ignore default before and after_script for Scan Execution Policies See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159486 Merged-by: Sashi Kumar Kumaresan <skumar@gitlab.com> Approved-by: Martin Čavoj <mcavoj@gitlab.com> Approved-by: Sashi Kumar Kumaresan <skumar@gitlab.com> Reviewed-by: Martin Čavoj <mcavoj@gitlab.com> Co-authored-by: Alan (Maciej) Paruszewski <mparuszewski@gitlab.com>

Merge branch '472663-ignore-default-before-after-script-in-sep' into 'master'
2ddb093e · Sashi Kumar Kumaresan · GitLab · c68e758c · 0e2d85a7 · 2ddb093e
--- a/ee/app/services/security/security_orchestration_policies/ci_action/template.rb
+++ b/ee/app/services/security/security_orchestration_policies/ci_action/template.rb
@@ -27,6 +27,7 @@ def config
          ci_configuration.each do |_, job_configuration|
            apply_variables!(job_configuration, variables)
            apply_tags!(job_configuration, @action[:tags])
+            apply_defaults!(job_configuration)
            remove_extends!(job_configuration)
            remove_rule_to_disable_job!(job_configuration, ci_variables)
          end
@@ -67,6 +68,11 @@ def apply_tags!(job_configuration, tags)
          job_configuration[:tags] = tags
        end

+        def apply_defaults!(job_configuration)
+          job_configuration[:before_script] ||= []
+          job_configuration[:after_script] ||= []
+        end
+
        def remove_extends!(job_configuration)
          job_configuration.delete(:extends)
        end

--- a/ee/app/services/security/security_orchestration_policies/on_demand_scan_pipeline_configuration_service.rb
+++ b/ee/app/services/security/security_orchestration_policies/on_demand_scan_pipeline_configuration_service.rb
@@ -37,7 +37,9 @@ def prepare_on_demand_scan_configuration(action)
          .deep_merge(
            'stage' => 'dast',
            'variables' => dast_on_demand_variables(action_variables),
-            'dast_configuration' => ci_configuration['dast']['dast_configuration']
+            'dast_configuration' => ci_configuration['dast']['dast_configuration'],
+            'before_script' => [],
+            'after_script' => []
          )
      end


--- a/ee/spec/lib/ee/gitlab/ci/config_spec.rb
+++ b/ee/spec/lib/ee/gitlab/ci/config_spec.rb
@@ -83,6 +83,8 @@
                },
                allow_failure: true,
                script: ['/analyze'],
+                before_script: [],
+                after_script: [],
                artifacts: { access: 'developer', reports: { dast: 'gl-dast-report.json' } },
                dast_configuration: {
                  site_profile: dast_site_profile.name,

--- a/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
+++ b/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
@@ -292,6 +292,8 @@
              },
              allow_failure: true,
              script: ['/analyze'],
+              before_script: [],
+              after_script: [],
              artifacts: {
                access: 'developer',
                reports: {
@@ -322,6 +324,8 @@
            hash_including(
              rules: [{ if: '$CI_COMMIT_BRANCH' }],
              script: ["/analyzer run"],
+              before_script: [],
+              after_script: [],
              stage: scan_policy_stage,
              image: '$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION$SECRET_DETECTION_IMAGE_SUFFIX',
              services: [],
@@ -352,6 +356,8 @@
            hash_including(
              artifacts: { access: 'developer', reports: { sast: 'gl-sast-report.json' } },
              script: ['/analyzer run'],
+              before_script: [],
+              after_script: [],
              image: { name: '$SAST_ANALYZER_IMAGE' },
              rules: [
                { if: '$CI_COMMIT_BRANCH', exists:

--- a/ee/spec/services/security/security_orchestration_policies/ci_action/template_spec.rb
+++ b/ee/spec/services/security/security_orchestration_policies/ci_action/template_spec.rb
@@ -119,6 +119,8 @@
          expected_configuration = {
            rules: [{ if: '$CI_COMMIT_BRANCH' }],
            script: ["/analyzer run"],
+            before_script: [],
+            after_script: [],
            tags: ['runner-tag'],
            stage: 'test',
            image: '$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION$SECRET_DETECTION_IMAGE_SUFFIX',
@@ -179,6 +181,8 @@
            },
            dependencies: [],
            script: ['gtcs scan'],
+            before_script: [],
+            after_script: [],
            variables: {
              CS_ANALYZER_IMAGE: "$CI_TEMPLATE_REGISTRY_HOST/security-products/container-scanning:7",
              GIT_STRATEGY: 'fetch',

--- a/ee/spec/services/security/security_orchestration_policies/on_demand_scan_pipeline_configuration_service_spec.rb
+++ b/ee/spec/services/security/security_orchestration_policies/on_demand_scan_pipeline_configuration_service_spec.rb
@@ -69,6 +69,8 @@
          },
          allow_failure: true,
          script: ['/analyze'],
+          before_script: [],
+          after_script: [],
          artifacts: { access: 'developer', reports: { dast: 'gl-dast-report.json' } },
          dast_configuration: { site_profile: site_profile.name, scanner_profile: scanner_profile.name },
          rules: [