diff options
Diffstat (limited to 'lib/gitlab/ci')
24 files changed, 161 insertions, 51 deletions
diff --git a/lib/gitlab/ci/build/rules.rb b/lib/gitlab/ci/build/rules.rb index 8b503290e6e..999f41ff46f 100644 --- a/lib/gitlab/ci/build/rules.rb +++ b/lib/gitlab/ci/build/rules.rb @@ -6,7 +6,9 @@ module Gitlab class Rules include ::Gitlab::Utils::StrongMemoize - Result = Struct.new(:when, :start_in, :allow_failure, :variables, :needs, :errors, keyword_init: true) do + Result = Struct.new( + :when, :start_in, :allow_failure, :variables, :needs, :errors, :auto_cancel, keyword_init: true + ) do def build_attributes needs_job = needs&.dig(:job) { @@ -37,7 +39,8 @@ module Gitlab start_in: matched_rule.attributes[:start_in], allow_failure: matched_rule.attributes[:allow_failure], variables: matched_rule.attributes[:variables], - needs: matched_rule.attributes[:needs] + needs: matched_rule.attributes[:needs], + auto_cancel: matched_rule.attributes[:auto_cancel] ) else Result.new(when: 'never') diff --git a/lib/gitlab/ci/config/entry/processable.rb b/lib/gitlab/ci/config/entry/processable.rb index 0b322fd433c..d19140851f5 100644 --- a/lib/gitlab/ci/config/entry/processable.rb +++ b/lib/gitlab/ci/config/entry/processable.rb @@ -58,7 +58,8 @@ module Gitlab description: 'List of evaluable Rules to determine job inclusion.', inherit: false, metadata: { - allowed_when: %w[on_success on_failure always never manual delayed].freeze + allowed_when: %w[on_success on_failure always never manual delayed].freeze, + allowed_keys: %i[if changes exists when start_in allow_failure variables needs].freeze } entry :variables, ::Gitlab::Ci::Config::Entry::Variables, diff --git a/lib/gitlab/ci/config/entry/rules/rule.rb b/lib/gitlab/ci/config/entry/rules/rule.rb index 1e7f6056a65..81e67592c29 100644 --- a/lib/gitlab/ci/config/entry/rules/rule.rb +++ b/lib/gitlab/ci/config/entry/rules/rule.rb @@ -4,14 +4,16 @@ module Gitlab module Ci class Config module Entry + # A rule is a condition that is evaluated before a job is executed. + # Until we find a better solution in https://gitlab.com/gitlab-org/gitlab/-/issues/436473, + # these two metadata parameters need to be passed to `Entry::Rules`: + # - `allowed_when`: a list of allowed values for the `when` keyword. + # - `allowed_keys`: a list of allowed keys for each rule. class Rules::Rule < ::Gitlab::Config::Entry::Node include ::Gitlab::Config::Entry::Validatable include ::Gitlab::Config::Entry::Configurable include ::Gitlab::Config::Entry::Attributable - ALLOWED_KEYS = %i[if changes exists when start_in allow_failure variables needs].freeze - ALLOWED_WHEN = %w[on_success on_failure always never manual delayed].freeze - attributes :if, :exists, :when, :start_in, :allow_failure entry :changes, Entry::Rules::Rule::Changes, @@ -25,10 +27,12 @@ module Gitlab metadata: { allowed_needs: %i[job] }, inherit: false + entry :auto_cancel, Entry::AutoCancel, + description: 'Auto-cancel configuration for the pipeline.' + validations do validates :config, presence: true validates :config, type: { with: Hash } - validates :config, allowed_keys: ALLOWED_KEYS validates :config, disallowed_keys: %i[start_in], unless: :specifies_delay? validates :start_in, presence: true, if: :specifies_delay? validates :start_in, duration: { limit: '1 week' }, if: :specifies_delay? @@ -36,15 +40,22 @@ module Gitlab with_options allow_nil: true do validates :if, expression: true validates :exists, array_of_strings: true, length: { maximum: 50 } - validates :when, allowed_values: { in: ALLOWED_WHEN } validates :allow_failure, boolean: true end validate do + # This validation replaces the old `validates :when, allowed_values: { in: ALLOWED_WHEN }` validation. + # In https://gitlab.com/gitlab-org/gitlab/-/issues/436473, we'll remove this custom validation. validates_with Gitlab::Config::Entry::Validators::AllowedValuesValidator, attributes: %i[when], allow_nil: true, in: opt(:allowed_when) + + # This validation replaces the old `validates :config, allowed_keys: ALLOWED_KEYS` validation. + # In https://gitlab.com/gitlab-org/gitlab/-/issues/436473, we'll remove this custom validation. + validates_with Gitlab::Config::Entry::Validators::AllowedKeysValidator, + attributes: %i[config], + in: opt(:allowed_keys) end end @@ -52,7 +63,8 @@ module Gitlab config.merge( changes: (changes_value if changes_defined?), variables: (variables_value if variables_defined?), - needs: (needs_value if needs_defined?) + needs: (needs_value if needs_defined?), + auto_cancel: (auto_cancel_value if auto_cancel_defined?) ).compact end diff --git a/lib/gitlab/ci/config/entry/schemas/imageable/executor_opts.json b/lib/gitlab/ci/config/entry/schemas/imageable/executor_opts.json index a31374650e6..1098da0111a 100644 --- a/lib/gitlab/ci/config/entry/schemas/imageable/executor_opts.json +++ b/lib/gitlab/ci/config/entry/schemas/imageable/executor_opts.json @@ -10,6 +10,11 @@ "type": "string", "minLength": 1, "maxLength": 64 + }, + "user": { + "type": "string", + "minLength": 1, + "maxLength": 255 } }, "additionalProperties": false diff --git a/lib/gitlab/ci/config/entry/workflow.rb b/lib/gitlab/ci/config/entry/workflow.rb index 5b81c74fe4d..b201989a9f7 100644 --- a/lib/gitlab/ci/config/entry/workflow.rb +++ b/lib/gitlab/ci/config/entry/workflow.rb @@ -19,9 +19,14 @@ module Gitlab validates :name, allow_nil: true, length: { minimum: 1, maximum: 255 } end + # `start_in`, `allow_failure`, and `needs` should not be allowed but we can't break this behavior now. + # More information: https://gitlab.com/gitlab-org/gitlab/-/issues/436473 entry :rules, Entry::Rules, description: 'List of evaluable Rules to determine Pipeline status.', - metadata: { allowed_when: %w[always never] } + metadata: { + allowed_when: %w[always never].freeze, + allowed_keys: %i[if changes exists when start_in allow_failure variables needs auto_cancel].freeze + } entry :auto_cancel, Entry::AutoCancel, description: 'Auto-cancel configuration for this pipeline.' diff --git a/lib/gitlab/ci/config/external/context.rb b/lib/gitlab/ci/config/external/context.rb index 0a524fdba66..cbbea3c7c12 100644 --- a/lib/gitlab/ci/config/external/context.rb +++ b/lib/gitlab/ci/config/external/context.rb @@ -11,13 +11,16 @@ module Gitlab include ::Gitlab::Utils::StrongMemoize - attr_reader :project, :sha, :user, :parent_pipeline, :variables, :pipeline_config - attr_reader :pipeline, :expandset, :execution_deadline, :logger, :max_includes, :max_total_yaml_size_bytes + attr_reader :project, :sha, :user, :parent_pipeline, :variables, :pipeline_config, :parallel_requests, + :pipeline, :expandset, :execution_deadline, :logger, :max_includes, :max_total_yaml_size_bytes attr_accessor :total_file_size_in_bytes delegate :instrument, to: :logger + # We try to keep the number of parallel HTTP requests to a minimum to avoid overloading IO. + MAX_PARALLEL_REMOTE_REQUESTS = 2 + def initialize( project: nil, pipeline: nil, sha: nil, user: nil, parent_pipeline: nil, variables: nil, pipeline_config: nil, logger: nil @@ -30,6 +33,7 @@ module Gitlab @variables = variables || Ci::Variables::Collection.new @pipeline_config = pipeline_config @expandset = [] + @parallel_requests = [] @execution_deadline = 0 @logger = logger || Gitlab::Ci::Pipeline::Logger.new(project: project) @max_includes = Gitlab::CurrentSettings.current_application_settings.ci_max_includes @@ -65,6 +69,7 @@ module Gitlab ctx.logger = logger ctx.max_includes = max_includes ctx.max_total_yaml_size_bytes = max_total_yaml_size_bytes + ctx.parallel_requests = parallel_requests end end @@ -76,6 +81,16 @@ module Gitlab raise TimeoutError if execution_expired? end + def execute_remote_parallel_request(lazy_response) + parallel_requests.delete_if(&:complete?) + + # We are "assuming" that the first request in the queue is the first one to complete. + # This is good enough approximation. + parallel_requests.first&.wait unless parallel_requests.size < MAX_PARALLEL_REMOTE_REQUESTS + + parallel_requests << lazy_response.execute + end + def sentry_payload { user: user.inspect, @@ -106,7 +121,8 @@ module Gitlab protected - attr_writer :pipeline, :expandset, :execution_deadline, :logger, :max_includes, :max_total_yaml_size_bytes + attr_writer :pipeline, :expandset, :execution_deadline, :logger, :max_includes, :max_total_yaml_size_bytes, + :parallel_requests private diff --git a/lib/gitlab/ci/config/external/file/component.rb b/lib/gitlab/ci/config/external/file/component.rb index 03063e76dde..ab44b424d8d 100644 --- a/lib/gitlab/ci/config/external/file/component.rb +++ b/lib/gitlab/ci/config/external/file/component.rb @@ -18,7 +18,12 @@ module Gitlab def content return unless component_result.success? - ::Gitlab::UsageDataCounters::HLLRedisCounter.track_event('cicd_component_usage', values: context.user.id) + if context.user.present? + ::Gitlab::UsageDataCounters::HLLRedisCounter.track_event( + 'cicd_component_usage', + values: context.user.id + ) + end component_payload.fetch(:content) end diff --git a/lib/gitlab/ci/config/external/file/remote.rb b/lib/gitlab/ci/config/external/file/remote.rb index fc90b497f85..266901811f6 100644 --- a/lib/gitlab/ci/config/external/file/remote.rb +++ b/lib/gitlab/ci/config/external/file/remote.rb @@ -54,10 +54,12 @@ module Gitlab private def fetch_async_content - return if ::Feature.disabled?(:ci_parallel_remote_includes, context.project) + return unless YamlProcessor::FeatureFlags.enabled?(:ci_parallel_remote_includes) - # It starts fetching the remote content in a separate thread and returns a promise immediately. - Gitlab::HTTP.get(location, async: true).execute + # It starts fetching the remote content in a separate thread and returns a lazy_response immediately. + Gitlab::HTTP.get(location, async: true).tap do |lazy_response| + context.execute_remote_parallel_request(lazy_response) + end end strong_memoize_attr :fetch_async_content diff --git a/lib/gitlab/ci/parsers/sbom/cyclonedx.rb b/lib/gitlab/ci/parsers/sbom/cyclonedx.rb index 79c1c14dc4e..62cd322e141 100644 --- a/lib/gitlab/ci/parsers/sbom/cyclonedx.rb +++ b/lib/gitlab/ci/parsers/sbom/cyclonedx.rb @@ -58,6 +58,7 @@ module Gitlab def parse_components data['components']&.each_with_index do |component_data, index| + properties = component_data['properties'] component = ::Gitlab::Ci::Reports::Sbom::Component.new( type: component_data['type'], name: component_data['name'], @@ -65,6 +66,7 @@ module Gitlab version: component_data['version'] ) + component.properties = CyclonedxProperties.parse_trivy_source(properties) if properties report.add_component(component) if component.ingestible? rescue ::Sbom::PackageUrl::InvalidPackageUrl report.add_error("/components/#{index}/purl is invalid") diff --git a/lib/gitlab/ci/parsers/sbom/cyclonedx_properties.rb b/lib/gitlab/ci/parsers/sbom/cyclonedx_properties.rb index 35548358c57..7069e784934 100644 --- a/lib/gitlab/ci/parsers/sbom/cyclonedx_properties.rb +++ b/lib/gitlab/ci/parsers/sbom/cyclonedx_properties.rb @@ -5,7 +5,7 @@ module Gitlab module Parsers module Sbom # Parses GitLab CycloneDX metadata properties which are defined by the taxonomy at - # https://gitlab.com/gitlab-org/security-products/gitlab-cyclonedx-property-taxonomy + # https://docs.gitlab.com/ee/development/sec/cyclonedx_property_taxonomy.html # # This parser knows how to process schema version 1 and will not attempt to parse # later versions. Each source type has it's own namespace in the property schema, @@ -14,10 +14,13 @@ module Gitlab class CyclonedxProperties SUPPORTED_SCHEMA_VERSION = '1' GITLAB_PREFIX = 'gitlab:' + AQUASECURITY_PREFIX = 'aquasecurity:' SOURCE_PARSERS = { 'dependency_scanning' => ::Gitlab::Ci::Parsers::Sbom::Source::DependencyScanning, - 'container_scanning' => ::Gitlab::Ci::Parsers::Sbom::Source::ContainerScanning + 'container_scanning' => ::Gitlab::Ci::Parsers::Sbom::Source::ContainerScanning, + 'trivy' => ::Gitlab::Ci::Parsers::Sbom::Source::Trivy }.freeze + SUPPORTED_PROPERTIES = %w[ meta:schema_version dependency_scanning:category @@ -29,12 +32,26 @@ module Gitlab container_scanning:image:tag container_scanning:operating_system:name container_scanning:operating_system:version + trivy:PkgID + trivy:PkgType + trivy:SrcName + trivy:SrcVersion + trivy:SrcRelease + trivy:SrcEpoch + trivy:Modularitylabel + trivy:FilePath + trivy:LayerDigest + trivy:LayerDiffID ].freeze def self.parse_source(...) new(...).parse_source end + def self.parse_trivy_source(...) + new(...).parse_trivy_source + end + def initialize(properties) @properties = properties end @@ -46,6 +63,12 @@ module Gitlab source end + def parse_trivy_source + return unless properties.present? + + source + end + private attr_reader :properties @@ -61,11 +84,15 @@ module Gitlab # The specification permits the name or value to be absent. return unless name.present? && value.present? - return unless name.start_with?(GITLAB_PREFIX) - namespaced_name = name.delete_prefix(GITLAB_PREFIX) + namespaced_name = + if name.start_with?(GITLAB_PREFIX) + name.delete_prefix(GITLAB_PREFIX) + elsif name.start_with?(AQUASECURITY_PREFIX) + name.delete_prefix(AQUASECURITY_PREFIX) + end - return unless SUPPORTED_PROPERTIES.include?(namespaced_name) + return unless namespaced_name && SUPPORTED_PROPERTIES.include?(namespaced_name) parse_name_value_pair(namespaced_name, value, data) end diff --git a/lib/gitlab/ci/parsers/sbom/source/trivy.rb b/lib/gitlab/ci/parsers/sbom/source/trivy.rb new file mode 100644 index 00000000000..0218b19e931 --- /dev/null +++ b/lib/gitlab/ci/parsers/sbom/source/trivy.rb @@ -0,0 +1,19 @@ +# frozen_string_literal: true + +module Gitlab + module Ci + module Parsers + module Sbom + module Source + class Trivy < BaseSource + private + + def type + :trivy + end + end + end + end + end + end +end diff --git a/lib/gitlab/ci/parsers/security/common.rb b/lib/gitlab/ci/parsers/security/common.rb index be6c6c2558b..ede0f62ea51 100644 --- a/lib/gitlab/ci/parsers/security/common.rb +++ b/lib/gitlab/ci/parsers/security/common.rb @@ -20,6 +20,7 @@ module Gitlab end def parse! + sanitize_json_data set_report_version return report_data unless valid? @@ -43,6 +44,14 @@ module Gitlab attr_reader :json_data, :report, :validate, :project + # PostgreSQL can not save texts with unicode null character + # that's why we are escaping that character. + def sanitize_json_data + return unless json_data.gsub!('\u0000', '\\\\\u0000') + + report.add_warning('Parsing', 'Report artifact contained unicode null characters which are escaped during the ingestion.') + end + def valid? return true unless validate @@ -123,7 +132,6 @@ module Gitlab uuid: uuid, report_type: report.type, name: finding_name(data, identifiers, location), - compare_key: data['cve'] || '', location: location, evidence: evidence, severity: ::Enums::Vulnerability.parse_severity_level(data['severity']), diff --git a/lib/gitlab/ci/pipeline/chain/command.rb b/lib/gitlab/ci/pipeline/chain/command.rb index cc3aa33e93b..7e871732c20 100644 --- a/lib/gitlab/ci/pipeline/chain/command.rb +++ b/lib/gitlab/ci/pipeline/chain/command.rb @@ -62,7 +62,7 @@ module Gitlab end def before_sha - self[:before_sha] || checkout_sha || Gitlab::Git::BLANK_SHA + self[:before_sha] || checkout_sha || Gitlab::Git::SHA1_BLANK_SHA end def protected_ref? diff --git a/lib/gitlab/ci/pipeline/chain/evaluate_workflow_rules.rb b/lib/gitlab/ci/pipeline/chain/evaluate_workflow_rules.rb index ab37eb93f18..5fdba860b0e 100644 --- a/lib/gitlab/ci/pipeline/chain/evaluate_workflow_rules.rb +++ b/lib/gitlab/ci/pipeline/chain/evaluate_workflow_rules.rb @@ -13,13 +13,9 @@ module Gitlab return if workflow_passed? - if Feature.enabled?(:always_set_pipeline_failure_reason, @command.project) - drop_reason = :filtered_by_workflow_rules - end - error( 'Pipeline filtered out by workflow rules.', - drop_reason: drop_reason + drop_reason: :filtered_by_workflow_rules ) end diff --git a/lib/gitlab/ci/pipeline/chain/helpers.rb b/lib/gitlab/ci/pipeline/chain/helpers.rb index 0e55928ff80..5dfe918042e 100644 --- a/lib/gitlab/ci/pipeline/chain/helpers.rb +++ b/lib/gitlab/ci/pipeline/chain/helpers.rb @@ -45,7 +45,7 @@ module Gitlab else command.increment_pipeline_failure_reason_counter(drop_reason) - pipeline.set_failed(drop_reason) if Feature.enabled?(:always_set_pipeline_failure_reason, command.project) + pipeline.set_failed(drop_reason) end end end diff --git a/lib/gitlab/ci/pipeline/chain/populate.rb b/lib/gitlab/ci/pipeline/chain/populate.rb index f73addcd098..e9097182262 100644 --- a/lib/gitlab/ci/pipeline/chain/populate.rb +++ b/lib/gitlab/ci/pipeline/chain/populate.rb @@ -18,14 +18,10 @@ module Gitlab pipeline.stages = @command.pipeline_seed.stages if stage_names.empty? - if Feature.enabled?(:always_set_pipeline_failure_reason, @command.project) - drop_reason = :filtered_by_rules - end - return error( 'Pipeline will not run for the selected trigger. ' \ 'The rules configuration prevented any jobs from being added to the pipeline.', - drop_reason: drop_reason + drop_reason: :filtered_by_rules ) end diff --git a/lib/gitlab/ci/pipeline/chain/populate_metadata.rb b/lib/gitlab/ci/pipeline/chain/populate_metadata.rb index 3ac910da752..8e6426be679 100644 --- a/lib/gitlab/ci/pipeline/chain/populate_metadata.rb +++ b/lib/gitlab/ci/pipeline/chain/populate_metadata.rb @@ -35,7 +35,10 @@ module Gitlab end def set_auto_cancel - auto_cancel = @command.yaml_processor_result.workflow_auto_cancel + auto_cancel_from_config = @command.yaml_processor_result.workflow_auto_cancel || {} + auto_cancel_from_rules = @command.workflow_rules_result&.auto_cancel || {} + + auto_cancel = auto_cancel_from_config.merge(auto_cancel_from_rules) return if auto_cancel.blank? diff --git a/lib/gitlab/ci/reports/sbom/component.rb b/lib/gitlab/ci/reports/sbom/component.rb index 59816e75b2c..1a3f689c1d7 100644 --- a/lib/gitlab/ci/reports/sbom/component.rb +++ b/lib/gitlab/ci/reports/sbom/component.rb @@ -8,12 +8,14 @@ module Gitlab include Gitlab::Utils::StrongMemoize attr_reader :component_type, :version, :path + attr_accessor :properties - def initialize(type:, name:, purl:, version:) + def initialize(type:, name:, purl:, version:, properties: nil) @component_type = type @name = name @raw_purl = purl @version = version + @properties = properties end def <=>(other) diff --git a/lib/gitlab/ci/reports/security/finding.rb b/lib/gitlab/ci/reports/security/finding.rb index fa8494483d3..fbca1e674d1 100644 --- a/lib/gitlab/ci/reports/security/finding.rb +++ b/lib/gitlab/ci/reports/security/finding.rb @@ -7,7 +7,6 @@ module Gitlab class Finding include ::VulnerabilityFindingHelpers - attr_reader :compare_key attr_reader :confidence attr_reader :identifiers attr_reader :flags @@ -34,10 +33,7 @@ module Gitlab delegate :file_path, :start_line, :end_line, to: :location - alias_method :cve, :compare_key - - def initialize(compare_key:, identifiers:, flags: [], links: [], remediations: [], location:, evidence:, metadata_version:, name:, original_data:, report_type:, scanner:, scan:, uuid:, confidence: nil, severity: nil, details: {}, signatures: [], project_id: nil, vulnerability_finding_signatures_enabled: false, found_by_pipeline: nil, cvss: []) # rubocop:disable Metrics/ParameterLists - @compare_key = compare_key + def initialize(identifiers:, flags: [], links: [], remediations: [], location:, evidence:, metadata_version:, name:, original_data:, report_type:, scanner:, scan:, uuid:, confidence: nil, severity: nil, details: {}, signatures: [], project_id: nil, vulnerability_finding_signatures_enabled: false, found_by_pipeline: nil, cvss: []) # rubocop:disable Metrics/ParameterLists @confidence = confidence @identifiers = identifiers @flags = flags @@ -65,7 +61,6 @@ module Gitlab def to_hash %i[ - compare_key confidence identifiers flags @@ -84,7 +79,6 @@ module Gitlab details signatures description - cve solution ].index_with do |key| public_send(key) # rubocop:disable GitlabSecurity/PublicSend @@ -141,7 +135,7 @@ module Gitlab def <=>(other) if severity == other.severity - compare_key <=> other.compare_key + uuid <=> other.uuid else ::Enums::Vulnerability.severity_levels[other.severity] <=> ::Enums::Vulnerability.severity_levels[severity] @@ -200,7 +194,7 @@ module Gitlab private def generate_project_fingerprint - Digest::SHA1.hexdigest(compare_key) + Digest::SHA1.hexdigest(uuid.to_s) end def location_fingerprints diff --git a/lib/gitlab/ci/templates/Jobs/DAST-Default-Branch-Deploy.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/DAST-Default-Branch-Deploy.gitlab-ci.yml index a5cddf5d2d7..6f8bed32796 100644 --- a/lib/gitlab/ci/templates/Jobs/DAST-Default-Branch-Deploy.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Jobs/DAST-Default-Branch-Deploy.gitlab-ci.yml @@ -1,5 +1,5 @@ variables: - DAST_AUTO_DEPLOY_IMAGE_VERSION: 'v2.71.0' + DAST_AUTO_DEPLOY_IMAGE_VERSION: 'v2.76.1' .dast-auto-deploy: image: "${CI_TEMPLATE_REGISTRY_HOST}/gitlab-org/cluster-integration/auto-deploy-image:${DAST_AUTO_DEPLOY_IMAGE_VERSION}" diff --git a/lib/gitlab/ci/templates/Jobs/Deploy.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/Deploy.gitlab-ci.yml index 0a899f3bb74..52367cfe97d 100644 --- a/lib/gitlab/ci/templates/Jobs/Deploy.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Jobs/Deploy.gitlab-ci.yml @@ -1,5 +1,5 @@ variables: - AUTO_DEPLOY_IMAGE_VERSION: 'v2.71.0' + AUTO_DEPLOY_IMAGE_VERSION: 'v2.76.1' .auto-deploy: image: "${CI_TEMPLATE_REGISTRY_HOST}/gitlab-org/cluster-integration/auto-deploy-image:${AUTO_DEPLOY_IMAGE_VERSION}" diff --git a/lib/gitlab/ci/templates/Jobs/Deploy.latest.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/Deploy.latest.gitlab-ci.yml index 87a7f79c0ce..06dc91a8bbc 100644 --- a/lib/gitlab/ci/templates/Jobs/Deploy.latest.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Jobs/Deploy.latest.gitlab-ci.yml @@ -1,5 +1,5 @@ variables: - AUTO_DEPLOY_IMAGE_VERSION: 'v2.71.0' + AUTO_DEPLOY_IMAGE_VERSION: 'v2.76.1' .auto-deploy: image: "${CI_TEMPLATE_REGISTRY_HOST}/gitlab-org/cluster-integration/auto-deploy-image:${AUTO_DEPLOY_IMAGE_VERSION}" diff --git a/lib/gitlab/ci/templates/Security/DAST-On-Demand-Scan.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/DAST-On-Demand-Scan.gitlab-ci.yml index 1ed4cd86e82..4b60298353d 100644 --- a/lib/gitlab/ci/templates/Security/DAST-On-Demand-Scan.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Security/DAST-On-Demand-Scan.gitlab-ci.yml @@ -21,7 +21,7 @@ variables: dast: stage: dast image: - name: "$SECURE_ANALYZERS_PREFIX/dast:$DAST_VERSION" + name: "$SECURE_ANALYZERS_PREFIX/dast:$DAST_VERSION$DAST_IMAGE_SUFFIX" variables: GIT_STRATEGY: none allow_failure: true @@ -30,3 +30,10 @@ dast: artifacts: reports: dast: gl-dast-report.json + rules: + - if: $CI_GITLAB_FIPS_MODE == "true" + variables: + DAST_IMAGE_SUFFIX: "-fips" + - if: $CI_GITLAB_FIPS_MODE != "true" + variables: + DAST_IMAGE_SUFFIX: "" diff --git a/lib/gitlab/ci/templates/Security/DAST-Runner-Validation.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/DAST-Runner-Validation.gitlab-ci.yml index c75ff2e9ff8..8043b6a95cc 100644 --- a/lib/gitlab/ci/templates/Security/DAST-Runner-Validation.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Security/DAST-Runner-Validation.gitlab-ci.yml @@ -18,9 +18,16 @@ variables: validation: stage: dast image: - name: "$CI_TEMPLATE_REGISTRY_HOST/security-products/dast-runner-validation:$DAST_RUNNER_VALIDATION_VERSION" + name: "$CI_TEMPLATE_REGISTRY_HOST/security-products/dast-runner-validation:$DAST_RUNNER_VALIDATION_VERSION$DAST_IMAGE_SUFFIX" variables: GIT_STRATEGY: none allow_failure: false script: - ~/validate.sh + rules: + - if: $CI_GITLAB_FIPS_MODE == "true" + variables: + DAST_IMAGE_SUFFIX: "-fips" + - if: $CI_GITLAB_FIPS_MODE != "true" + variables: + DAST_IMAGE_SUFFIX: "" |