Show secure results on environments page, backend

ee/app/models/ee/environment.rb

@@ -5,6 +5,8 @@ module EE
 
     prepended do
       has_many :prometheus_alerts, inverse_of: :environment
+      has_one :last_deployable, through: :last_deployment, source: 'deployable', source_type: 'CommitStatus'
+      has_one :last_pipeline, through: :last_deployable, source: 'pipeline'
     end
 
     def pod_names

ee/app/serializers/ee/environment_entity.rb

@@ -7,6 +7,32 @@ module EE
       expose :logs_path, if: -> (*) { can_read_pod_logs? } do |environment|
         logs_project_environment_path(environment.project, environment)
       end
+
+      expose :secure_artifacts do
+        expose :sast_path, if: -> (*) { environment.last_pipeline&.expose_sast_data? } do |environment|
+          raw_project_build_artifacts_url(environment.project,
+                                          environment.last_pipeline.sast_artifact,
+                                          path: Ci::Build::SAST_FILE)
+        end
+
+        expose :dependency_scanning_path, if: -> (*) { environment.last_pipeline&.expose_dependency_scanning_data? } do |environment|
+          raw_project_build_artifacts_url(environment.project,
+                                          environment.last_pipeline.dependency_scanning_artifact,
+                                          path: Ci::Build::DEPENDENCY_SCANNING_FILE)
+        end
+
+        expose :dast_path, if: -> (*) { environment.last_pipeline&.expose_dast_data? } do |environment|
+          raw_project_build_artifacts_url(environment.project,
+                                          environment.last_pipeline.dast_artifact,
+                                          path: Ci::Build::DAST_FILE)
+        end
+
+        expose :container_scanning_path, if: -> (*) { environment.last_pipeline&.expose_container_scanning_data? } do |environment|
+          raw_project_build_artifacts_url(environment.project,
+                                          environment.last_pipeline.container_scanning_artifact,
+                                          path: Ci::Build::CONTAINER_SCANNING_FILE)
+        end
+      end
     end
 
     private

ee/changelogs/unreleased/4299_show_secure_results_on_environments_page_be.yml

+---
+title: Show security analysis status on the environments page
+merge_request: 6987
+author:
+type: added

ee/spec/fixtures/api/schemas/environment.json

@@ -8,7 +8,8 @@
         "last_deployment",
         "environment_path",
         "created_at",
-        "updated_at"
+        "updated_at",
+        "secure_artifacts"
     ],
     "properties": {
         "id": {
@@ -68,6 +69,24 @@
         },
         "can_stop": {
             "type": "boolean"
+        },
+        "secure_artifacts": {
+            "type": "object",
+            "additionalProperties": false,
+            "properties": {
+                "sast": {
+                    "type": "integer"
+                },
+                "dast": {
+                    "type": "string"
+                },
+                "container_scanning": {
+                    "type": "string"
+                },
+                "dependency_scanning": {
+                    "type": "string"
+                }
+            }
         }
     }
 }

ee/spec/serializers/ee/environment_entity_spec.rb

@@ -32,4 +32,65 @@ describe EnvironmentEntity do
 
     it_behaves_like 'protected environments access', false
   end
+
+  describe 'secure_artifacts hash' do
+    it 'is present' do
+      expect(entity.as_json.include?(:secure_artifacts)).to eq(true)
+    end
+
+    it 'is empty' do
+      expect(entity.as_json[:secure_artifacts].size).to eq(0)
+    end
+  end
+
+  context 'with secure artifacts' do
+    let(:pipeline) { create(:ci_pipeline, :success, project: project) }
+    let(:deployable) { create(:ci_build, :success, pipeline: pipeline) }
+
+    jobs_parameters = [
+        { name: 'sast', filename: 'gl-sast-report.json' },
+        { name: 'dast', filename: 'gl-dast-report.json' },
+        { name: 'container_scanning', filename: 'gl-container-scanning-report.json' },
+        { name: 'dependency_scanning', filename: 'gl-dependency-scanning-report.json' }
+    ]
+
+    before do
+      stub_licensed_features(sast: true, dast: true, dependency_scanning: true, sast_container: true)
+      create(:deployment, deployable: deployable, environment: environment)
+
+      jobs_parameters.each do |job_parameters|
+        create(
+          :ci_job_artifact,
+          :archive,
+          job: create(
+            :ci_build,
+            :success,
+            pipeline: pipeline,
+            name: job_parameters[:name],
+            options: {
+              artifacts: {
+                paths: [job_parameters[:filename]]
+              }
+            }))
+      end
+    end
+
+    describe 'secure_artifacts hash' do
+      it 'contains the reports' do
+        allow_any_instance_of(LegacyArtifactUploader).to receive(:exists?).and_return(true)
+
+        expect(entity.as_json[:secure_artifacts].size).to eq(4)
+
+        expect(entity.as_json[:secure_artifacts]).to include(:sast_path)
+        expect(entity.as_json[:secure_artifacts]).to include(:dast_path)
+        expect(entity.as_json[:secure_artifacts]).to include(:container_scanning_path)
+        expect(entity.as_json[:secure_artifacts]).to include(:dependency_scanning_path)
+
+        expect(entity.as_json[:secure_artifacts][:sast_path]).to end_with(Ci::Build::SAST_FILE)
+        expect(entity.as_json[:secure_artifacts][:dast_path]).to end_with(Ci::Build::DAST_FILE)
+        expect(entity.as_json[:secure_artifacts][:container_scanning_path]).to end_with(Ci::Build::CONTAINER_SCANNING_FILE)
+        expect(entity.as_json[:secure_artifacts][:dependency_scanning_path]).to end_with(Ci::Build::DEPENDENCY_SCANNING_FILE)
+      end
+    end
+  end
 end