diff --git a/ee/app/services/security/security_orchestration_policies/ci_action/template.rb b/ee/app/services/security/security_orchestration_policies/ci_action/template.rb
index 1961ecfc4997770dfa8f51f01018fb40a74ed634..3d1aab8b939741c400794dba5d15662242d0e661 100644
--- a/ee/app/services/security/security_orchestration_policies/ci_action/template.rb
+++ b/ee/app/services/security/security_orchestration_policies/ci_action/template.rb
@@ -27,6 +27,7 @@ def config
ci_configuration.each do |_, job_configuration|
apply_variables!(job_configuration, variables)
apply_tags!(job_configuration, @action[:tags])
+ apply_defaults!(job_configuration)
remove_extends!(job_configuration)
remove_rule_to_disable_job!(job_configuration, ci_variables)
end
@@ -67,6 +68,11 @@ def apply_tags!(job_configuration, tags)
job_configuration[:tags] = tags
end
+ def apply_defaults!(job_configuration)
+ job_configuration[:before_script] ||= []
+ job_configuration[:after_script] ||= []
+ end
+
def remove_extends!(job_configuration)
job_configuration.delete(:extends)
end
diff --git a/ee/app/services/security/security_orchestration_policies/on_demand_scan_pipeline_configuration_service.rb b/ee/app/services/security/security_orchestration_policies/on_demand_scan_pipeline_configuration_service.rb
index 912432c0d1aa97f99eba137e718d567c275e368e..e55c613ab7596594029360bedb4068e5e32f9e69 100644
--- a/ee/app/services/security/security_orchestration_policies/on_demand_scan_pipeline_configuration_service.rb
+++ b/ee/app/services/security/security_orchestration_policies/on_demand_scan_pipeline_configuration_service.rb
@@ -37,7 +37,9 @@ def prepare_on_demand_scan_configuration(action)
.deep_merge(
'stage' => 'dast',
'variables' => dast_on_demand_variables(action_variables),
- 'dast_configuration' => ci_configuration['dast']['dast_configuration']
+ 'dast_configuration' => ci_configuration['dast']['dast_configuration'],
+ 'before_script' => [],
+ 'after_script' => []
)
end
diff --git a/ee/spec/lib/ee/gitlab/ci/config_spec.rb b/ee/spec/lib/ee/gitlab/ci/config_spec.rb
index e5edd3eee434add10af95a2fb2840ed5fd5b1780..9037f14fbe58b13ec01332cf13537ce3484e8aa1 100644
--- a/ee/spec/lib/ee/gitlab/ci/config_spec.rb
+++ b/ee/spec/lib/ee/gitlab/ci/config_spec.rb
@@ -83,6 +83,8 @@
},
allow_failure: true,
script: ['/analyze'],
+ before_script: [],
+ after_script: [],
artifacts: { access: 'developer', reports: { dast: 'gl-dast-report.json' } },
dast_configuration: {
site_profile: dast_site_profile.name,
diff --git a/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb b/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
index d82953c828eff97523f1311c3ed85117f7d402b9..73c96183878813dfcfd279f0b346cb103c9313d8 100644
--- a/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
+++ b/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
@@ -292,6 +292,8 @@
},
allow_failure: true,
script: ['/analyze'],
+ before_script: [],
+ after_script: [],
artifacts: {
access: 'developer',
reports: {
@@ -322,6 +324,8 @@
hash_including(
rules: [{ if: '$CI_COMMIT_BRANCH' }],
script: ["/analyzer run"],
+ before_script: [],
+ after_script: [],
stage: scan_policy_stage,
image: '$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION$SECRET_DETECTION_IMAGE_SUFFIX',
services: [],
@@ -352,6 +356,8 @@
hash_including(
artifacts: { access: 'developer', reports: { sast: 'gl-sast-report.json' } },
script: ['/analyzer run'],
+ before_script: [],
+ after_script: [],
image: { name: '$SAST_ANALYZER_IMAGE' },
rules: [
{ if: '$CI_COMMIT_BRANCH', exists:
diff --git a/ee/spec/services/security/security_orchestration_policies/ci_action/template_spec.rb b/ee/spec/services/security/security_orchestration_policies/ci_action/template_spec.rb
index 0e2a38761d1c426d25f4a692bacdd30da04c9a20..2d1dd2e514f2c6616f986b85ec65ad135d7f545d 100644
--- a/ee/spec/services/security/security_orchestration_policies/ci_action/template_spec.rb
+++ b/ee/spec/services/security/security_orchestration_policies/ci_action/template_spec.rb
@@ -119,6 +119,8 @@
expected_configuration = {
rules: [{ if: '$CI_COMMIT_BRANCH' }],
script: ["/analyzer run"],
+ before_script: [],
+ after_script: [],
tags: ['runner-tag'],
stage: 'test',
image: '$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION$SECRET_DETECTION_IMAGE_SUFFIX',
@@ -179,6 +181,8 @@
},
dependencies: [],
script: ['gtcs scan'],
+ before_script: [],
+ after_script: [],
variables: {
CS_ANALYZER_IMAGE: "$CI_TEMPLATE_REGISTRY_HOST/security-products/container-scanning:7",
GIT_STRATEGY: 'fetch',
diff --git a/ee/spec/services/security/security_orchestration_policies/on_demand_scan_pipeline_configuration_service_spec.rb b/ee/spec/services/security/security_orchestration_policies/on_demand_scan_pipeline_configuration_service_spec.rb
index dba3fbc58d8cdbff3439fa564ec0801fb763173c..30edd93cc2949823583a5c212462867b89a92323 100644
--- a/ee/spec/services/security/security_orchestration_policies/on_demand_scan_pipeline_configuration_service_spec.rb
+++ b/ee/spec/services/security/security_orchestration_policies/on_demand_scan_pipeline_configuration_service_spec.rb
@@ -69,6 +69,8 @@
},
allow_failure: true,
script: ['/analyze'],
+ before_script: [],
+ after_script: [],
artifacts: { access: 'developer', reports: { dast: 'gl-dast-report.json' } },
dast_configuration: { site_profile: site_profile.name, scanner_profile: scanner_profile.name },
rules: [