Merge branch 'philipcunningham-add-support-for-offline-environments-324990' into 'master'

Add dast-runner-validation to Secure-Binaries YAML

See merge request gitlab-org/gitlab!66501

ee/spec/lib/gitlab/ci/templates/secure_binaries_ci_yaml_spec.rb

@@ -27,17 +27,35 @@ RSpec.describe 'Secure-Binaries.gitlab-ci.yml' do
       allow(project).to receive(:default_branch).and_return(default_branch)
     end
 
-    describe 'dast' do
-      let_it_be(:build_name) { 'dast' }
+    shared_examples 'an offline image download job' do
+      let(:build) { pipeline.builds.find_by(name: build_name) }
 
-      it 'creates a dast job' do
+      it 'creates the job' do
         expect(build_names).to include(build_name)
       end
 
       it 'sets SECURE_BINARIES_ANALYZER_VERSION to the correct version' do
-        build = pipeline.builds.find_by(name: build_name)
+        expect(build.variables.to_hash).to include('SECURE_BINARIES_ANALYZER_VERSION' => String(version))
+      end
+    end
+
+    describe 'dast' do
+      let_it_be(:build_name) { 'dast' }
+      let_it_be(:version) { 2 }
+
+      it_behaves_like 'an offline image download job'
+    end
+
+    describe 'dast-runner-validation' do
+      let_it_be(:build_name) { 'dast-runner-validation' }
+      let_it_be(:version) { 1 }
+
+      it_behaves_like 'an offline image download job' do
+        it 'sets SECURE_BINARIES_IMAGE explicitly' do
+          image = 'registry.gitlab.com/security-products/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}'
 
-        expect(build.variables.to_hash).to include('SECURE_BINARIES_ANALYZER_VERSION' => '2')
+          expect(build.variables.to_hash).to include('SECURE_BINARIES_IMAGE' => image)
+        end
       end
     end
   end

lib/gitlab/ci/templates/Security/Secure-Binaries.gitlab-ci.yml

@@ -18,7 +18,7 @@ variables:
     bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, secrets, sobelow, pmd-apex, kubesec, semgrep,
     bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python,
     license-finder,
-    dast, api-fuzzing
+    dast, dast-runner-validation, api-fuzzing
 
   SECURE_BINARIES_DOWNLOAD_IMAGES: "true"
   SECURE_BINARIES_PUSH_IMAGES: "true"
@@ -230,6 +230,16 @@ dast:
       - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
           $SECURE_BINARIES_ANALYZERS =~ /\bdast\b/
 
+dast-runner-validation:
+  extends: .download_images
+  variables:
+    SECURE_BINARIES_ANALYZER_VERSION: "1"
+    SECURE_BINARIES_IMAGE: "registry.gitlab.com/security-products/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"
+  only:
+    variables:
+      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
+          $SECURE_BINARIES_ANALYZERS =~ /\bdast-runner-validation\b/
+
 api-fuzzing:
   extends: .download_images
   variables: