Automatic merge of gitlab-org/gitlab master

app/views/ci/variables/_header.html.haml

@@ -3,7 +3,7 @@
 %h4
   = _('Variables')
 
-%button.btn.btn-default.js-settings-toggle{ type: 'button' }
+%button.btn.gl-button.btn-default.js-settings-toggle{ type: 'button' }
   = expanded ? _('Collapse') : _('Expand')
 
 %p

app/views/projects/settings/ci_cd/_autodevops_form.html.haml

@@ -54,4 +54,4 @@
                     = s_('CICD|Automatic deployment to staging, manual deployment to production')
                     = link_to sprite_icon('question-o'), help_page_path('topics/autodevops/customize.md', anchor: 'incremental-rollout-to-production'), target: '_blank'
 
-          = f.submit _('Save changes'), class: "btn btn-success gl-mt-5", data: { qa_selector: 'save_changes_button' }
+          = f.submit _('Save changes'), class: "btn gl-button btn-success gl-mt-5", data: { qa_selector: 'save_changes_button' }

app/views/projects/settings/ci_cd/show.html.haml

@@ -9,7 +9,7 @@
   .settings-header
     %h4
       = _("General pipelines")
-    %button.btn.js-settings-toggle{ type: 'button' }
+    %button.btn.gl-button.btn-default.js-settings-toggle{ type: 'button' }
       = expanded ? _('Collapse') : _('Expand')
     %p
       = _("Customize your pipeline configuration and coverage report.")
@@ -20,7 +20,7 @@
   .settings-header
     %h4
       = s_('CICD|Auto DevOps')
-    %button.btn.btn-default.js-settings-toggle{ type: 'button' }
+    %button.btn.gl-button.btn-default.js-settings-toggle{ type: 'button' }
       = expanded ? _('Collapse') : _('Expand')
     %p
       - auto_devops_url = help_page_path('topics/autodevops/index')
@@ -37,7 +37,7 @@
   .settings-header
     %h4
       = _("Runners")
-    %button.btn.js-settings-toggle{ type: 'button' }
+    %button.btn.gl-button.btn-default.js-settings-toggle{ type: 'button' }
       = expanded ? _('Collapse') : _('Expand')
     %p
       = _("Runners are processes that pick up and execute CI/CD jobs for GitLab.")
@@ -49,7 +49,7 @@
   .settings-header
     %h4
       = _("Artifacts")
-    %button.btn.js-settings-toggle{ type: 'button' }
+    %button.btn.gl-button.btn-default.js-settings-toggle{ type: 'button' }
       = expanded ? _('Collapse') : _('Expand')
     %p
       = _("A job artifact is an archive of files and directories saved by a job when it finishes.")
@@ -66,7 +66,7 @@
   .settings-header
     %h4
       = _("Pipeline triggers")
-    %button.btn.js-settings-toggle{ type: 'button' }
+    %button.btn.gl-button.btn-default.js-settings-toggle{ type: 'button' }
       = expanded ? _('Collapse') : _('Expand')
     %p
       = _("Trigger a pipeline for a branch or tag by generating a trigger token and using it with an API call. The token impersonates a user's project access and permissions.")
@@ -79,7 +79,7 @@
     .settings-header
       %h4
         = _("Clean up image tags")
-      %button.btn.js-settings-toggle{ type: 'button' }
+      %button.btn.gl-button.btn-default.js-settings-toggle{ type: 'button' }
         = expanded ? _('Collapse') : _('Expand')
       %p
         = _("Save space and find images in the Container Registry. Remove unneeded tags and keep only the ones you want.")
@@ -94,7 +94,7 @@
     .settings-header
       %h4
         = _("Deploy freezes")
-      %button.btn.js-settings-toggle{ type: 'button' }
+      %button.btn.gl-button.btn-default.js-settings-toggle{ type: 'button' }
         = expanded ? _('Collapse') : _('Expand')
       %p
         - freeze_period_docs = help_page_path('user/project/releases/index', anchor: 'prevent-unintentional-releases-by-setting-a-deploy-freeze')

changelogs/unreleased/gl-button-ci-cd.yml

+---
+title: Apply new GitLab UI for toggle buttons in CI/CD settings page
+merge_request: 53556
+author: Yogi (@yo)
+type: other

doc/api/graphql/reference/gitlab_schema.graphql

@@ -1077,6 +1077,56 @@ Identifier of Analytics::DevopsAdoption::Segment.
 """
 scalar AnalyticsDevopsAdoptionSegmentID
 
+"""
+Data associated with configuring API fuzzing scans in GitLab CI
+"""
+type ApiFuzzingCiConfiguration {
+  """
+  All available scan modes.
+  """
+  scanModes: [ApiFuzzingScanMode!]
+
+  """
+  All default scan profiles.
+  """
+  scanProfiles: [ApiFuzzingScanProfile!]
+}
+
+"""
+All possible ways to specify the API surface for an API fuzzing scan
+"""
+enum ApiFuzzingScanMode {
+  """
+  The API surface is specified by a HAR file.
+  """
+  HAR
+
+  """
+  The API surface is specified by a OPENAPI file.
+  """
+  OPENAPI
+}
+
+"""
+An API Fuzzing scan profile.
+"""
+type ApiFuzzingScanProfile {
+  """
+  A short description of the profile.
+  """
+  description: String
+
+  """
+  The unique name of the profile.
+  """
+  name: String
+
+  """
+  A syntax highlit HTML representation of the YAML.
+  """
+  yaml: String
+}
+
 """
 User availability status
 """
@@ -18465,6 +18515,11 @@ type Project {
   """
   allowMergeOnSkippedPipeline: Boolean
 
+  """
+  API fuzzing configuration for the project. Available only when feature flag `api_fuzzing_configuration_ui` is enabled.
+  """
+  apiFuzzingCiConfiguration: ApiFuzzingCiConfiguration
+
   """
   Indicates the archived status of the project.
   """

doc/api/graphql/reference/gitlab_schema.json

@@ -2678,6 +2678,141 @@
           "enumValues": null,
           "possibleTypes": null
         },
+        {
+          "kind": "OBJECT",
+          "name": "ApiFuzzingCiConfiguration",
+          "description": "Data associated with configuring API fuzzing scans in GitLab CI",
+          "fields": [
+            {
+              "name": "scanModes",
+              "description": "All available scan modes.",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "LIST",
+                "name": null,
+                "ofType": {
+                  "kind": "NON_NULL",
+                  "name": null,
+                  "ofType": {
+                    "kind": "ENUM",
+                    "name": "ApiFuzzingScanMode",
+                    "ofType": null
+                  }
+                }
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
+            {
+              "name": "scanProfiles",
+              "description": "All default scan profiles.",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "LIST",
+                "name": null,
+                "ofType": {
+                  "kind": "NON_NULL",
+                  "name": null,
+                  "ofType": {
+                    "kind": "OBJECT",
+                    "name": "ApiFuzzingScanProfile",
+                    "ofType": null
+                  }
+                }
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            }
+          ],
+          "inputFields": null,
+          "interfaces": [
+
+          ],
+          "enumValues": null,
+          "possibleTypes": null
+        },
+        {
+          "kind": "ENUM",
+          "name": "ApiFuzzingScanMode",
+          "description": "All possible ways to specify the API surface for an API fuzzing scan",
+          "fields": null,
+          "inputFields": null,
+          "interfaces": null,
+          "enumValues": [
+            {
+              "name": "HAR",
+              "description": "The API surface is specified by a HAR file.",
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
+            {
+              "name": "OPENAPI",
+              "description": "The API surface is specified by a OPENAPI file.",
+              "isDeprecated": false,
+              "deprecationReason": null
+            }
+          ],
+          "possibleTypes": null
+        },
+        {
+          "kind": "OBJECT",
+          "name": "ApiFuzzingScanProfile",
+          "description": "An API Fuzzing scan profile.",
+          "fields": [
+            {
+              "name": "description",
+              "description": "A short description of the profile.",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "SCALAR",
+                "name": "String",
+                "ofType": null
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
+            {
+              "name": "name",
+              "description": "The unique name of the profile.",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "SCALAR",
+                "name": "String",
+                "ofType": null
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
+            {
+              "name": "yaml",
+              "description": "A syntax highlit HTML representation of the YAML.",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "SCALAR",
+                "name": "String",
+                "ofType": null
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            }
+          ],
+          "inputFields": null,
+          "interfaces": [
+
+          ],
+          "enumValues": null,
+          "possibleTypes": null
+        },
         {
           "kind": "ENUM",
           "name": "AvailabilityEnum",
@@ -54452,6 +54587,20 @@
               "isDeprecated": false,
               "deprecationReason": null
             },
+            {
+              "name": "apiFuzzingCiConfiguration",
+              "description": "API fuzzing configuration for the project. Available only when feature flag `api_fuzzing_configuration_ui` is enabled.",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "OBJECT",
+                "name": "ApiFuzzingCiConfiguration",
+                "ofType": null
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
             {
               "name": "archived",
               "description": "Indicates the archived status of the project.",

doc/api/graphql/reference/index.md

@@ -180,6 +180,25 @@ Autogenerated return type of AlertTodoCreate.
 | `issue` | Issue | The issue created after mutation. |
 | `todo` | Todo | The to-do item after mutation. |
 
+### ApiFuzzingCiConfiguration
+
+Data associated with configuring API fuzzing scans in GitLab CI.
+
+| Field | Type | Description |
+| ----- | ---- | ----------- |
+| `scanModes` | ApiFuzzingScanMode! => Array | All available scan modes. |
+| `scanProfiles` | ApiFuzzingScanProfile! => Array | All default scan profiles. |
+
+### ApiFuzzingScanProfile
+
+An API Fuzzing scan profile..
+
+| Field | Type | Description |
+| ----- | ---- | ----------- |
+| `description` | String | A short description of the profile. |
+| `name` | String | The unique name of the profile. |
+| `yaml` | String | A syntax highlit HTML representation of the YAML. |
+
 ### AwardEmoji
 
 An emoji awarded by a user.
@@ -2800,6 +2819,7 @@ Autogenerated return type of PipelineRetry.
 | `alertManagementIntegrations` | AlertManagementIntegrationConnection | Integrations which can receive alerts for the project. |
 | `alertManagementPayloadFields` | AlertManagementPayloadAlertField! => Array | Extract alert fields from payload for custom mapping |
 | `allowMergeOnSkippedPipeline` | Boolean | If `only_allow_merge_if_pipeline_succeeds` is true, indicates if merge requests of the project can also be merged with skipped jobs. |
+| `apiFuzzingCiConfiguration` | ApiFuzzingCiConfiguration | API fuzzing configuration for the project. Available only when feature flag `api_fuzzing_configuration_ui` is enabled. |
 | `archived` | Boolean | Indicates the archived status of the project. |
 | `autocloseReferencedIssues` | Boolean | Indicates if issues referenced by merge requests and commits within the default branch are closed automatically. |
 | `avatarUrl` | String | URL to avatar image file of the project. |
@@ -4575,6 +4595,15 @@ Alert status values.
 | `RESOLVED` | Resolved status |
 | `TRIGGERED` | Triggered status |
 
+### ApiFuzzingScanMode
+
+All possible ways to specify the API surface for an API fuzzing scan.
+
+| Value | Description |
+| ----- | ----------- |
+| `HAR` | The API surface is specified by a HAR file. |
+| `OPENAPI` | The API surface is specified by a OPENAPI file. |
+
 ### AvailabilityEnum
 
 User availability status.

doc/development/code_review.md

@@ -385,9 +385,12 @@ When ready to merge:
 - Consider using the [Squash and
   merge](../user/project/merge_requests/squash_and_merge.md#squash-and-merge)
   feature when the merge request has a lot of commits.
-  When merging code a maintainer should only use the squash feature if the
-  author has already set this option or if the merge request clearly contains a
-  messy commit history that is intended to be squashed.
+  When merging code, a maintainer should only use the squash feature if the
+  author has already set this option, or if the merge request clearly contains a
+  messy commit history, it will be more efficient to squash commits instead of
+  circling back with the author about that. Otherwise, if the MR only has a few commits, we'll
+  be respecting the author's setting by not squashing them.
+
 - **Start a new merge request pipeline with the `Run Pipeline` button in the merge
   request's "Pipelines" tab, and enable "Merge When Pipeline Succeeds" (MWPS).** Note that:
   - If the **latest [Pipeline for Merged Results](../ci/merge_request_pipelines/pipelines_for_merged_results/#pipelines-for-merged-results)** finished less than 2 hours ago, you

ee/app/graphql/ee/types/project_type.rb

@@ -127,6 +127,23 @@ module EE
               null: true,
               description: 'Incident Management On-call schedules of the project',
               resolver: ::Resolvers::IncidentManagement::OncallScheduleResolver
+
+        field :api_fuzzing_ci_configuration,
+              ::Types::CiConfiguration::ApiFuzzingType,
+              null: true,
+              description: 'API fuzzing configuration for the project.',
+              feature_flag: :api_fuzzing_configuration_ui
+      end
+
+      def api_fuzzing_ci_configuration
+        return unless Ability.allowed?(current_user, :read_vulnerability, object)
+
+        configuration = ::Security::ApiFuzzing::CiConfiguration.new(project: object)
+
+        {
+          scan_modes: ::Security::ApiFuzzing::CiConfiguration::SCAN_MODES,
+          scan_profiles: configuration.scan_profiles
+        }
       end
 
       def dast_profiles

ee/app/graphql/types/ci_configuration/api_fuzzing/scan_mode_enum.rb

+# frozen_string_literal: true
+
+module Types
+  module CiConfiguration
+    module ApiFuzzing
+      class ScanModeEnum < BaseEnum
+        graphql_name 'ApiFuzzingScanMode'
+        description 'All possible ways to specify the API surface for an API fuzzing scan'
+
+        ::Security::ApiFuzzing::CiConfiguration::SCAN_MODES.each do |mode|
+          value mode.upcase, value: mode, description: "The API surface is specified by a #{mode.upcase} file."
+        end
+      end
+    end
+  end
+end

ee/app/graphql/types/ci_configuration/api_fuzzing/scan_profile_type.rb

+# frozen_string_literal: true
+
+module Types
+  module CiConfiguration
+    module ApiFuzzing
+      # rubocop: disable Graphql/AuthorizeTypes
+      class ScanProfileType < BaseObject
+        graphql_name 'ApiFuzzingScanProfile'
+        description 'An API Fuzzing scan profile.'
+
+        field :name, GraphQL::STRING_TYPE, null: true,
+              description: 'The unique name of the profile.'
+
+        field :description, GraphQL::STRING_TYPE, null: true,
+              description: 'A short description of the profile.'
+
+        field :yaml, GraphQL::STRING_TYPE, null: true,
+              description: 'A syntax highlit HTML representation of the YAML.'
+      end
+      # rubocop: enable Graphql/AuthorizeTypes
+    end
+  end
+end

ee/app/graphql/types/ci_configuration/api_fuzzing_type.rb

+# frozen_string_literal: true
+
+module Types
+  module CiConfiguration
+    # rubocop: disable Graphql/AuthorizeTypes
+    class ApiFuzzingType < BaseObject
+      graphql_name 'ApiFuzzingCiConfiguration'
+      description 'Data associated with configuring API fuzzing scans in GitLab CI'
+
+      field :scan_modes, [ApiFuzzing::ScanModeEnum], null: true,
+            description: 'All available scan modes.'
+
+      field :scan_profiles, [ApiFuzzing::ScanProfileType], null: true,
+            description: 'All default scan profiles.'
+    end
+    # rubocop: enable Graphql/AuthorizeTypes
+  end
+end

ee/app/models/security/api_fuzzing/ci_configuration.rb

+# frozen_string_literal: true
+
+module Security
+  module ApiFuzzing
+    class CiConfiguration
+      PROFILES_DEFINITION_FILE = 'https://gitlab.com/gitlab-org/security-products/analyzers' \
+                                 '/api-fuzzing/-/raw/master/gitlab-api-fuzzing-config.yml'
+      SCAN_MODES = [:har, :openapi].freeze
+
+      def initialize(project:)
+        @project = project
+      end
+
+      def scan_profiles
+        fetch_scan_profiles.map do |profile|
+          next unless ScanProfile::NAMES.include?(profile[:Name])
+
+          ScanProfile.new(
+            name: profile[:Name],
+            project: project,
+            yaml: profile.deep_stringify_keys.to_yaml
+          )
+        end.compact
+      end
+
+      private
+
+      attr_reader :project
+
+      def fetch_scan_profiles
+        response = Gitlab::HTTP.try_get(PROFILES_DEFINITION_FILE)
+
+        if response && response.code.to_i < 300
+          content = Gitlab::Config::Loader::Yaml.new(response.to_s).load!
+
+          content.fetch(:Profiles, [])
+        else
+          []
+        end
+      end
+    end
+  end
+end

ee/app/models/security/api_fuzzing/scan_profile.rb

+# frozen_string_literal: true
+
+module Security
+  module ApiFuzzing
+    class ScanProfile
+      NAMES = %w(Quick-10 Medium-20 Medium-50 Long-100).freeze
+
+      DESCRIPTIONS = {
+        'Quick-10' => 'Fuzzing 10 times per parameter',
+        'Medium-20' => 'Fuzzing 20 times per parameter',
+        'Medium-50' => 'Fuzzing 50 times per parameter',
+        'Long-100' => 'Fuzzing 100 times per parameter'
+      }.freeze
+
+      attr_reader :description, :name, :project, :yaml
+
+      def initialize(name:, project:, yaml:)
+        @description = DESCRIPTIONS[name]
+        @name = name
+        @project = project
+        @yaml = yaml
+      end
+    end
+  end
+end

ee/app/views/projects/settings/ci_cd/_auto_rollback.html.haml

@@ -3,7 +3,7 @@
     .settings-header
       %h4
         = _("Automatic deployment rollbacks")
-      %button.gl-button.btn.js-settings-toggle{ type: 'button' }
+      %button.gl-button.btn-default.btn.js-settings-toggle{ type: 'button' }
         = expanded ? _('Collapse') : _('Expand')
       %p
         = s_('AutoRollback|Automatically roll back to the last successful deployment when a critical problem is detected.')

ee/app/views/projects/settings/ci_cd/_pipeline_subscriptions.html.haml

@@ -6,7 +6,7 @@
   .settings-header
     %h4
       = _("Pipeline subscriptions")
-    %button.btn.gl-button.js-settings-toggle{ type: 'button' }
+    %button.btn.gl-button.btn-default.js-settings-toggle{ type: 'button' }
       = expanded ? _('Collapse') : _('Expand')
     %p
       - default_branch_docs = link_to(_("default branch"), help_page_path('user/project/repository/branches/index.md', anchor: 'default-branch'))

ee/app/views/projects/settings/ci_cd/_protected_environments.html.haml

@@ -6,7 +6,7 @@
     .settings-header
       %h4
         = _('Protected environments')
-      %button.btn.gl-button.js-settings-toggle{ type: 'button' }
+      %button.btn.gl-button.btn-default.js-settings-toggle{ type: 'button' }
         = expanded ? _('Collapse') : _('Expand')
       %p
         = s_('ProtectedEnvironment|Only specified users can execute deployments in a protected environment.')

ee/spec/graphql/types/ci_configuration/api_fuzzing/scan_mode_enum_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe GitlabSchema.types['ApiFuzzingScanMode'] do
+  it 'exposes all API fuzzing scan modes' do
+    expect(described_class.values.keys).to match_array(%w[HAR OPENAPI])
+  end
+end

ee/spec/graphql/types/ci_configuration/api_fuzzing/scan_profile_type_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe GitlabSchema.types['ApiFuzzingScanProfile'] do
+  let_it_be(:fields) { %i[name description yaml] }
+
+  it { expect(described_class).to have_graphql_fields(fields) }
+end

ee/spec/graphql/types/ci_configuration/api_fuzzing_type_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe GitlabSchema.types['ApiFuzzingCiConfiguration'] do
+  let_it_be(:fields) { %i[scanModes scanProfiles] }
+
+  it { expect(described_class).to have_graphql_fields(fields) }
+end

ee/spec/graphql/types/project_type_spec.rb

@@ -20,7 +20,7 @@ RSpec.describe GitlabSchema.types['Project'] do
       vulnerabilities vulnerability_scanners requirement_states_count
       vulnerability_severities_count packages compliance_frameworks vulnerabilities_count_by_day
       security_dashboard_path iterations cluster_agents repository_size_excess actual_repository_size_limit
-      code_coverage_summary
+      code_coverage_summary api_fuzzing_ci_configuration
     ]
 
     expect(described_class).to include_graphql_fields(*expected_fields)

ee/spec/models/security/api_fuzzing/ci_configuration_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Security::ApiFuzzing::CiConfiguration do
+  include StubRequests
+
+  describe '#scan_profiles' do
+    context 'when the request finishes successfully' do
+      it 'returns all scan profiles' do
+        profiles_yaml = YAML.dump(Profiles: [{ Name: 'Quick-10' }])
+        stub_full_request(
+          ::Security::ApiFuzzing::CiConfiguration::PROFILES_DEFINITION_FILE
+        ).to_return(body: profiles_yaml)
+
+        profiles = described_class.new(project: double(Project)).scan_profiles
+
+        expect(profiles.first.name).to eq('Quick-10')
+      end
+
+      context 'when the response includes unknown scan profiles' do
+        it 'excludes them from the returned profiles' do
+          profiles_yaml = YAML.dump(Profiles: [{ Name: 'UNKNOWN!' }])
+          stub_full_request(
+            ::Security::ApiFuzzing::CiConfiguration::PROFILES_DEFINITION_FILE
+          ).to_return(body: profiles_yaml)
+
+          profiles = described_class.new(project: double(Project)).scan_profiles
+
+          expect(profiles).to be_empty
+        end
+      end
+    end
+
+    context 'when the request errors' do
+      it 'returns an empty array' do
+        allow(Gitlab::HTTP).to receive(:try_get)
+
+        profiles = described_class.new(project: double(Project)).scan_profiles
+
+        expect(profiles).to be_empty
+      end
+    end
+
+    context 'when the request returns an unsuccessful status code' do
+      it 'returns an empty array' do
+        stub_full_request(
+          ::Security::ApiFuzzing::CiConfiguration::PROFILES_DEFINITION_FILE
+        ).to_return(status: [500, 'everything is broken'])
+
+        profiles = described_class.new(project: double(Project)).scan_profiles
+
+        expect(profiles).to be_empty
+      end
+    end
+  end
+end

ee/spec/requests/api/graphql/ci_configuration/api_fuzzing/type_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'Query.project(fullPath).apiFuzzingCiConfiguration' do
+  include GraphqlHelpers
+  include StubRequests
+
+  let_it_be(:project) { create(:project) }
+  let_it_be(:user) { create(:user) }
+
+  let_it_be(:query) do
+    %(
+      query {
+        project(fullPath: "#{project.full_path}") {
+          apiFuzzingCiConfiguration {
+            scanModes
+            scanProfiles {
+              name
+              description
+              yaml
+            }
+          }
+        }
+      }
+    )
+  end
+
+  let_it_be(:profiles_yaml) do
+    YAML.dump(
+      Profiles: [
+        { Name: 'Quick-10' }
+      ]
+    )
+  end
+
+  before do
+    project.add_developer(user)
+
+    stub_full_request(
+      ::Security::ApiFuzzing::CiConfiguration::PROFILES_DEFINITION_FILE
+    ).to_return(body: profiles_yaml)
+  end
+
+  context 'when the api_fuzzing_configuration_ui feature flag is enabled' do
+    before do
+      stub_feature_flags(api_fuzzing_configuration_ui: true)
+    end
+
+    context 'when the user can read vulnerabilities for the project' do
+      before do
+        stub_licensed_features(security_dashboard: true)
+      end
+
+      it 'returns scan modes and scan profiles' do
+        post_graphql(query, current_user: user)
+
+        expect(response).to have_gitlab_http_status(:ok)
+
+        fuzzing_config = graphql_data.dig('project', 'apiFuzzingCiConfiguration')
+        modes = fuzzing_config['scanModes']
+        profiles = fuzzing_config['scanProfiles']
+        expect(modes).to contain_exactly('HAR', 'OPENAPI')
+        expect(profiles).to contain_exactly({
+          'name' => 'Quick-10',
+          'description' => 'Fuzzing 10 times per parameter',
+          'yaml' => "---\nName: Quick-10\n"
+        })
+      end
+    end
+
+    context 'when the user cannot read vulnerabilities for the project' do
+      before do
+        stub_licensed_features(security_dashboard: false)
+      end
+
+      it 'returns null' do
+        post_graphql(query, current_user: user)
+
+        expect(response).to have_gitlab_http_status(:ok)
+
+        fuzzing_config = graphql_data.dig('project', 'apiFuzzingCiConfiguration')
+        expect(fuzzing_config).to be_nil
+      end
+    end
+  end
+
+  context 'when the api_fuzzing_configuration_ui feature flag is disabled' do
+    before do
+      stub_feature_flags(api_fuzzing_configuration_ui: false)
+    end
+
+    it 'errors' do
+      post_graphql(query, current_user: user)
+
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(graphql_errors.first['message']).to eq(
+        "Field 'apiFuzzingCiConfiguration' doesn't exist on type 'Project'"
+      )
+    end
+  end
+end

spec/requests/api/graphql/packages/package_spec.rb

@@ -15,7 +15,7 @@ RSpec.describe 'package details' do
   end
 
   let(:depth) { 3 }
-  let(:excluded) { ['metadata'] }
+  let(:excluded) { %w[metadata apiFuzzingCiConfiguration] }
 
   let(:query) do
     graphql_query_for(:package, { id: package_global_id }, <<~FIELDS)