Merge branch '330713-add-new-security-scan-type' into 'master'

Add new security report type: running container scanning

See merge request gitlab-org/gitlab!64607

doc/api/graphql/reference/index.md

@@ -12540,6 +12540,7 @@ Represents summary of a security report.
 | <a id="securityreportsummarycoveragefuzzing"></a>`coverageFuzzing` | [`SecurityReportSummarySection`](#securityreportsummarysection) | Aggregated counts for the `coverage_fuzzing` scan. |
 | <a id="securityreportsummarydast"></a>`dast` | [`SecurityReportSummarySection`](#securityreportsummarysection) | Aggregated counts for the `dast` scan. |
 | <a id="securityreportsummarydependencyscanning"></a>`dependencyScanning` | [`SecurityReportSummarySection`](#securityreportsummarysection) | Aggregated counts for the `dependency_scanning` scan. |
+| <a id="securityreportsummaryrunningcontainerscanning"></a>`runningContainerScanning` | [`SecurityReportSummarySection`](#securityreportsummarysection) | Aggregated counts for the `running_container_scanning` scan. |
 | <a id="securityreportsummarysast"></a>`sast` | [`SecurityReportSummarySection`](#securityreportsummarysection) | Aggregated counts for the `sast` scan. |
 | <a id="securityreportsummarysecretdetection"></a>`secretDetection` | [`SecurityReportSummarySection`](#securityreportsummarysection) | Aggregated counts for the `secret_detection` scan. |
 
@@ -13393,7 +13394,7 @@ Represents a vulnerability.
 | <a id="vulnerabilitynotes"></a>`notes` | [`NoteConnection!`](#noteconnection) | All notes on this noteable. (see [Connections](#connections)) |
 | <a id="vulnerabilityprimaryidentifier"></a>`primaryIdentifier` | [`VulnerabilityIdentifier`](#vulnerabilityidentifier) | Primary identifier of the vulnerability. |
 | <a id="vulnerabilityproject"></a>`project` | [`Project`](#project) | The project on which the vulnerability was found. |
-| <a id="vulnerabilityreporttype"></a>`reportType` | [`VulnerabilityReportType`](#vulnerabilityreporttype) | Type of the security report that found the vulnerability (SAST, DEPENDENCY_SCANNING, CONTAINER_SCANNING, DAST, SECRET_DETECTION, COVERAGE_FUZZING, API_FUZZING). `Scan Type` in the UI. |
+| <a id="vulnerabilityreporttype"></a>`reportType` | [`VulnerabilityReportType`](#vulnerabilityreporttype) | Type of the security report that found the vulnerability (SAST, DEPENDENCY_SCANNING, CONTAINER_SCANNING, DAST, SECRET_DETECTION, COVERAGE_FUZZING, API_FUZZING, RUNNING_CONTAINER_SCANNING). `Scan Type` in the UI. |
 | <a id="vulnerabilityresolvedat"></a>`resolvedAt` | [`Time`](#time) | Timestamp of when the vulnerability state was changed to resolved. |
 | <a id="vulnerabilityresolvedby"></a>`resolvedBy` | [`UserCore`](#usercore) | The user that resolved the vulnerability. |
 | <a id="vulnerabilityresolvedondefaultbranch"></a>`resolvedOnDefaultBranch` | [`Boolean!`](#boolean) | Indicates whether the vulnerability is fixed on the default branch or not. |
@@ -15065,6 +15066,7 @@ The type of the security scan that found the vulnerability.
 | <a id="vulnerabilityreporttypecoverage_fuzzing"></a>`COVERAGE_FUZZING` |  |
 | <a id="vulnerabilityreporttypedast"></a>`DAST` |  |
 | <a id="vulnerabilityreporttypedependency_scanning"></a>`DEPENDENCY_SCANNING` |  |
+| <a id="vulnerabilityreporttyperunning_container_scanning"></a>`RUNNING_CONTAINER_SCANNING` |  |
 | <a id="vulnerabilityreporttypesast"></a>`SAST` |  |
 | <a id="vulnerabilityreporttypesecret_detection"></a>`SECRET_DETECTION` |  |
 

doc/development/usage_ping/dictionary.md

@@ -17330,6 +17330,18 @@ Status: `data_available`
 
 Tiers: `ultimate`
 
+### `usage_activity_by_stage.secure.running_container_scanning_scans`
+
+Counts running container scanning jobs
+
+[YAML definition](https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/config/metrics/counts_all/20210618124854_running_container_scanning_scans.yml)
+
+Group: `group::container security`
+
+Status: `data_available`
+
+Tiers: `ultimate`
+
 ### `usage_activity_by_stage.secure.sast_scans`
 
 Counts sast jobs
@@ -19430,6 +19442,30 @@ Status: `data_available`
 
 Tiers: `ultimate`
 
+### `usage_activity_by_stage_monthly.secure.running_container_scanning_pipeline`
+
+Pipelines containing a Running Container Scanning job
+
+[YAML definition](https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/config/metrics/counts_28d/20210618125224_running_container_scanning_pipeline.yml)
+
+Group: `group::container security`
+
+Status: `data_available`
+
+Tiers: `ultimate`
+
+### `usage_activity_by_stage_monthly.secure.running_container_scanning_scans`
+
+Counts running container scanning jobs
+
+[YAML definition](https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/config/metrics/counts_28d/20210618101233_running_container_scanning_scans.yml)
+
+Group: `group::container security`
+
+Status: `data_available`
+
+Tiers: `ultimate`
+
 ### `usage_activity_by_stage_monthly.secure.sast_pipeline`
 
 Counts of Pipelines that have at least 1 SAST job

ee/app/models/concerns/ee/enums/vulnerability.rb

@@ -10,7 +10,8 @@ module EE
         container_scanning: 2,
         dast: 3,
         coverage_fuzzing: 5,
-        api_fuzzing: 6
+        api_fuzzing: 6,
+        running_container_scanning: 7
       }.freeze
 
       class_methods do

ee/app/models/security/scan.rb

@@ -23,7 +23,8 @@ module Security
       dast: 4,
       secret_detection: 5,
       coverage_fuzzing: 6,
-      api_fuzzing: 7
+      api_fuzzing: 7,
+      running_container_scanning: 8
     }
 
     scope :by_scan_types, -> (scan_types) { where(scan_type: scan_types) }

ee/config/metrics/counts_28d/20210618101233_running_container_scanning_scans.yml

+---
+key_path: usage_activity_by_stage_monthly.secure.running_container_scanning_scans
+description: 'Counts running container scanning jobs'
+product_section: sec
+product_stage: protect
+product_group: group::container security
+product_category: container_scanning
+value_type: number
+status: data_available
+time_frame: all
+data_source: database
+data_category: Optional
+distribution:
+- ee
+tier:
+- ultimate

ee/config/metrics/counts_28d/20210618125224_running_container_scanning_pipeline.yml

+
+---
+key_path: usage_activity_by_stage_monthly.secure.running_container_scanning_pipeline
+description: Pipelines containing a Running Container Scanning job
+product_section: sec
+product_stage: protect
+product_group: group::container security
+product_category: container_scanning
+value_type: number
+status: data_available
+time_frame: 28d
+data_source: database
+data_category: Optional
+distribution:
+- ee
+tier:
+- ultimate

ee/config/metrics/counts_all/20210618124854_running_container_scanning_scans.yml

+---
+key_path: usage_activity_by_stage.secure.running_container_scanning_scans
+description: 'Counts running container scanning jobs'
+product_section: sec
+product_stage: protect
+product_group: group::container security
+product_category: container_scanning
+value_type: number
+status: data_available
+time_frame: all
+data_source: database
+data_category: Optional
+distribution:
+- ee
+tier:
+- ultimate

ee/spec/graphql/resolvers/security_report_summary_resolver_spec.rb

@@ -18,6 +18,7 @@ RSpec.describe Resolvers::SecurityReportSummaryResolver do
           dast: [:scanned_resources_count, :vulnerabilities_count, :scans],
           sast: [:scanned_resources_count, :vulnerabilities_count],
           container_scanning: [:scanned_resources_count, :vulnerabilities_count],
+          running_container_scanning: [:scanned_resources_count, :vulnerabilities_count],
           dependency_scanning: [:scanned_resources_count, :vulnerabilities_count],
           coverage_fuzzing: [:scanned_resources_count, :vulnerabilities_count]
         }

ee/spec/graphql/types/security_report_summary_type_spec.rb

@@ -6,7 +6,7 @@ RSpec.describe GitlabSchema.types['SecurityReportSummary'] do
   specify { expect(described_class.graphql_name).to eq('SecurityReportSummary') }
 
   it 'has specific fields' do
-    expected_fields = %w[dast sast containerScanning dependencyScanning]
+    expected_fields = %w[dast sast containerScanning dependencyScanning runningContainerScanning]
 
     expect(described_class).to include_graphql_fields(*expected_fields)
   end

ee/spec/graphql/types/vulnerability_report_type_enum_spec.rb

@@ -4,6 +4,6 @@ require 'spec_helper'
 
 RSpec.describe GitlabSchema.types['VulnerabilityReportType'] do
   it 'exposes all vulnerability report types' do
-    expect(described_class.values.keys).to match_array(%w[SAST SECRET_DETECTION DAST CONTAINER_SCANNING DEPENDENCY_SCANNING COVERAGE_FUZZING API_FUZZING])
+    expect(described_class.values.keys).to match_array(%w[SAST SECRET_DETECTION DAST RUNNING_CONTAINER_SCANNING CONTAINER_SCANNING DEPENDENCY_SCANNING COVERAGE_FUZZING API_FUZZING])
   end
 end

ee/spec/lib/gitlab/ci/parsers/security/validators/schema_validator_spec.rb

@@ -6,12 +6,13 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do
   using RSpec::Parameterized::TableSyntax
 
   where(:report_type, :expected_errors, :valid_data) do
-    :container_scanning  | ['root is missing required keys: vulnerabilities']                   | { 'version' => '10.0.0', 'vulnerabilities' => [] }
-    :coverage_fuzzing    | ['root is missing required keys: vulnerabilities']                   | { 'version' => '10.0.0', 'vulnerabilities' => [] }
-    :dast                | ['root is missing required keys: vulnerabilities']                   | { 'version' => '10.0.0', 'vulnerabilities' => [] }
-    :dependency_scanning | ['root is missing required keys: dependency_files, vulnerabilities'] | { 'version' => '10.0.0', 'vulnerabilities' => [], 'dependency_files' => [] }
-    :sast                | ['root is missing required keys: vulnerabilities']                   | { 'version' => '10.0.0', 'vulnerabilities' => [] }
-    :secret_detection    | ['root is missing required keys: vulnerabilities']                   | { 'version' => '10.0.0', 'vulnerabilities' => [] }
+    :running_container_scanning | ['root is missing required keys: vulnerabilities']                   | { 'version' => '10.0.0', 'vulnerabilities' => [] }
+    :container_scanning         | ['root is missing required keys: vulnerabilities']                   | { 'version' => '10.0.0', 'vulnerabilities' => [] }
+    :coverage_fuzzing           | ['root is missing required keys: vulnerabilities']                   | { 'version' => '10.0.0', 'vulnerabilities' => [] }
+    :dast                       | ['root is missing required keys: vulnerabilities']                   | { 'version' => '10.0.0', 'vulnerabilities' => [] }
+    :dependency_scanning        | ['root is missing required keys: dependency_files, vulnerabilities'] | { 'version' => '10.0.0', 'vulnerabilities' => [], 'dependency_files' => [] }
+    :sast                       | ['root is missing required keys: vulnerabilities']                   | { 'version' => '10.0.0', 'vulnerabilities' => [] }
+    :secret_detection           | ['root is missing required keys: vulnerabilities']                   | { 'version' => '10.0.0', 'vulnerabilities' => [] }
   end
 
   with_them do

ee/spec/models/ee/vulnerability_spec.rb

@@ -17,7 +17,8 @@ RSpec.describe Vulnerability do
       dast: 3,
       secret_detection: 4,
       coverage_fuzzing: 5,
-      api_fuzzing: 6 }
+      api_fuzzing: 6,
+      running_container_scanning: 7 }
   end
 
   let_it_be(:project) { create(:project) }