Add dast-runner-validation to Secure-Binaries YAML

- Adds dast-runner-validation for offline image download - Updates specs for template Changelog: changed MR: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/66501 EE: true

Add dast-runner-validation to Secure-Binaries YAML
- Adds dast-runner-validation for offline image download - Updates specs for template Changelog: changed MR: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/66501 EE: true
0bd402ff · Philip Cunningham · cec62d8b · 0bd402ff · 0bd402ff
Commit 0bd402ff authored Jul 21, 2021 by Philip Cunningham
2 changed files
--- a/ee/spec/lib/gitlab/ci/templates/secure_binaries_ci_yaml_spec.rb
+++ b/ee/spec/lib/gitlab/ci/templates/secure_binaries_ci_yaml_spec.rb
@@ -27,17 +27,35 @@ RSpec.describe 'Secure-Binaries.gitlab-ci.yml' do
      allow(project).to receive(:default_branch).and_return(default_branch)
    end
-    describe 'dast' do
+    shared_examples 'an offline image download job' do
-      let_it_be(:build_name) { 'dast' }
+      let(:build) { pipeline.builds.find_by(name: build_name) }
-      it 'creates a dast job' do
+      it 'creates the job' do
        expect(build_names).to include(build_name)
      end
      it 'sets SECURE_BINARIES_ANALYZER_VERSION to the correct version' do
-        build = pipeline.builds.find_by(name: build_name)
+        expect(build.variables.to_hash).to include('SECURE_BINARIES_ANALYZER_VERSION' => String(version))
+      end
+    end
+    describe 'dast' do
+      let_it_be(:build_name) { 'dast' }
+      let_it_be(:version) { 2 }
+      it_behaves_like 'an offline image download job'
+    end
+    describe 'dast-runner-validation' do
+      let_it_be(:build_name) { 'dast-runner-validation' }
+      let_it_be(:version) { 1 }
+      it_behaves_like 'an offline image download job' do
+        it 'sets SECURE_BINARIES_IMAGE explicitly' do
+          image = 'registry.gitlab.com/security-products/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}'
-        expect(build.variables.to_hash).to include('SECURE_BINARIES_ANALYZER_VERSION' => '2')
+          expect(build.variables.to_hash).to include('SECURE_BINARIES_IMAGE' => image)
+        end
      end
    end
  end

--- a/lib/gitlab/ci/templates/Security/Secure-Binaries.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/Secure-Binaries.gitlab-ci.yml
@@ -18,7 +18,7 @@ variables:
    bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, secrets, sobelow, pmd-apex, kubesec, semgrep,
    bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python,
    license-finder,
-    dast, api-fuzzing
+    dast, dast-runner-validation, api-fuzzing
  SECURE_BINARIES_DOWNLOAD_IMAGES: "true"
  SECURE_BINARIES_PUSH_IMAGES: "true"
@@ -230,6 +230,16 @@ dast:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bdast\b/
+dast-runner-validation:
+  extends: .download_images
+  variables:
+    SECURE_BINARIES_ANALYZER_VERSION: "1"
+    SECURE_BINARIES_IMAGE: "registry.gitlab.com/security-products/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"
+  only:
+    variables:
+      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
+          $SECURE_BINARIES_ANALYZERS =~ /\bdast-runner-validation\b/
 api-fuzzing:
  extends: .download_images
  variables: