Commit 962a8a82 authored by Matija Čupić's avatar Matija Čupić

Merge branch '327508-move-defaults-to-script-apifuzz' into 'master'

Move defaults to script for API Fuzzing CI template

See merge request gitlab-org/gitlab!60171
parents 58b8fb91 866e1aba
......@@ -599,7 +599,6 @@ repository's root as `.gitlab-api-fuzzing.yml`.
| `FUZZAPI_TARGET_URL` | Base URL of API testing target. |
|[`FUZZAPI_CONFIG`](#configuration-files) | API Fuzzing configuration file. Defaults to `.gitlab-apifuzzer.yml`. |
|[`FUZZAPI_PROFILE`](#configuration-files) | Configuration profile to use during testing. Defaults to `Quick`. |
| `FUZZAPI_REPORT` | Scan report filename. Defaults to `gl-api_fuzzing-report.xml`. |
|[`FUZZAPI_OPENAPI`](#openapi-specification) | OpenAPI specification file or URL. |
|[`FUZZAPI_HAR`](#http-archive-har) | HTTP Archive (HAR) file. |
|[`FUZZAPI_POSTMAN_COLLECTION`](#postman-collection) | Postman Collection file. |
......@@ -611,18 +610,6 @@ repository's root as `.gitlab-api-fuzzing.yml`.
|[`FUZZAPI_HTTP_USERNAME`](#http-basic-authentication) | Username for HTTP authentication. |
|[`FUZZAPI_HTTP_PASSWORD`](#http-basic-authentication) | Password for HTTP authentication. |
<!--|[`FUZZAPI_D_TARGET_IMAGE`](#target-container) |API target docker image |
|[`FUZZAPI_D_TARGET_ENV`](#target-container) |Docker environment options |
|[`FUZZAPI_D_TARGET_VOLUME`](#target-container) | Docker volume options |
|[`FUZZAPI_D_TARGET_PORTS`](#target-container) |Docker port options |
| `FUZZAPI_D_WORKER_IMAGE` |Custom worker docker image |
| `FUZZAPI_D_WORKER_ENV` |Custom worker docker environment options |
| `FUZZAPI_D_WORKER_VOLUME` |Custom worker docker volume options |
| `FUZZAPI_D_WORKER_PORTS` |Custom worker docker port options |
| `FUZZAPI_D_NETWORK` |Name of docker network, defaults to "testing-net"|
| `FUZZAPI_D_PRE_SCRIPT` |Pre script runs after docker login and docker network create, but before starting the scanning image container.|
| `FUZZAPI_D_POST_SCRIPT` |Post script runs after scanning image container is started. This is the place to start your target(s) and kick off scanning when using an advanced configuration.| -->
### Overrides
API Fuzzing provides a method to add or override specific items in your request, for example:
......
---
title: Move API Fuzzing variable defaults into script
merge_request: 60171
author:
type: changed
......@@ -75,7 +75,7 @@ RSpec.describe 'API-Fuzzing.latest.gitlab-ci.yml' do
end
it 'includes job to display error' do
expect(build_names).to match_array(%w[apifuzzer_fuzz_unlicensed])
expect(build_names).to match_array(%w[apifuzzer_fuzz])
end
end
......
......@@ -5,41 +5,13 @@
# How to set: https://docs.gitlab.com/ee/ci/yaml/#variables
variables:
FUZZAPI_PROFILE: Quick
FUZZAPI_VERSION: "1"
FUZZAPI_CONFIG: .gitlab-api-fuzzing.yml
FUZZAPI_TIMEOUT: 30
FUZZAPI_REPORT: gl-api-fuzzing-report.json
FUZZAPI_REPORT_ASSET_PATH: assets
#
# Wait up to 5 minutes for API Fuzzer and target url to become
# available (non 500 response to HTTP(s))
FUZZAPI_SERVICE_START_TIMEOUT: "300"
#
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
FUZZAPI_IMAGE: ${SECURE_ANALYZERS_PREFIX}/api-fuzzing:${FUZZAPI_VERSION}
#
apifuzzer_fuzz_unlicensed:
stage: fuzz
allow_failure: true
rules:
- if: '$GITLAB_FEATURES !~ /\bapi_fuzzing\b/ && $API_FUZZING_DISABLED == null'
- when: never
script:
- |
echo "Error: Your GitLab project is not licensed for API Fuzzing."
- exit 1
apifuzzer_fuzz:
stage: fuzz
image: $FUZZAPI_IMAGE
variables:
FUZZAPI_PROJECT: $CI_PROJECT_PATH
FUZZAPI_API: http://localhost:80
FUZZAPI_NEW_REPORT: 1
FUZZAPI_LOG_SCANNER: gl-apifuzzing-api-scanner.log
TZ: America/Los_Angeles
allow_failure: true
rules:
- if: $API_FUZZING_DISABLED
......@@ -47,44 +19,16 @@ apifuzzer_fuzz:
- if: $API_FUZZING_DISABLED_FOR_DEFAULT_BRANCH &&
$CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
when: never
- if: $CI_COMMIT_BRANCH && $GITLAB_FEATURES =~ /\bapi_fuzzing\b/
- if: $CI_COMMIT_BRANCH
script:
#
# Validate options
- |
if [ "$FUZZAPI_HAR$FUZZAPI_OPENAPI$FUZZAPI_POSTMAN_COLLECTION" == "" ]; then \
echo "Error: One of FUZZAPI_HAR, FUZZAPI_OPENAPI, or FUZZAPI_POSTMAN_COLLECTION must be provided."; \
echo "See https://docs.gitlab.com/ee/user/application_security/api_fuzzing/ for information on how to configure API Fuzzing."; \
exit 1; \
fi
#
# Run user provided pre-script
- sh -c "$FUZZAPI_PRE_SCRIPT"
#
# Make sure asset path exists
- mkdir -p $FUZZAPI_REPORT_ASSET_PATH
#
# Start API Security background process
- dotnet /peach/Peach.Web.dll &> $FUZZAPI_LOG_SCANNER &
- APISEC_PID=$!
#
# Start scanning
- worker-entry
#
# Run user provided post-script
- sh -c "$FUZZAPI_POST_SCRIPT"
#
# Shutdown API Security
- kill $APISEC_PID
- wait $APISEC_PID
#
- /peach/analyzer-fuzz-api
artifacts:
when: always
paths:
- $FUZZAPI_REPORT_ASSET_PATH
- $FUZZAPI_REPORT
- $FUZZAPI_LOG_SCANNER
- gl-assets
- gl-api-fuzzing-report.json
- gl-*.log
reports:
api_fuzzing: $FUZZAPI_REPORT
api_fuzzing: gl-api-fuzzing-report.json
# end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment