Multi-valued Cluster Image Scanning CI filter variables

31b725d6 · Dominic Bauer · Stan Hu · c88b81ff · 31b725d6 · 31b725d6
Commit 31b725d6 authored Jan 12, 2022 by Dominic Bauer Committed by Stan Hu Jan 12, 2022
4 changed files
--- a/doc/user/application_security/cluster_image_scanning/index.md
+++ b/doc/user/application_security/cluster_image_scanning/index.md
@@ -172,10 +172,10 @@ You can [configure](#customize-the-cluster-image-scanning-settings) analyzers by
 | CI/CD Variable                 | Default       | Description |
 | ------------------------------ | ------------- | ----------- |
 | `CIS_KUBECONFIG`               | `""` | File used to configure access to the Kubernetes cluster. See the [Kubernetes documentation](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/) for more details. |
-| `CIS_CONTAINER_NAME` | `""` | Name of the container used in the Kubernetes resource you want to filter vulnerabilities for. For example, `alpine`.  |
-| `CIS_RESOURCE_NAME` | `""` | Name of the Kubernetes resource you want to filter vulnerabilities for. For example, `nginx`.   |
-| `CIS_RESOURCE_NAMESPACE` | `""` | Namespace of the Kubernetes resource you want to filter vulnerabilities for. For example, `production`.   |
-| `CIS_RESOURCE_KIND` | `""` | Kind of the Kubernetes resource you want to filter vulnerabilities for. For example, `deployment`.  |
+| `CIS_CONTAINER_NAMES` | `""` | A comma-separated list of container names used in the Kubernetes resources you want to filter vulnerabilities for. For example, `alpine,postgres`.  |
+| `CIS_RESOURCE_NAMES` | `""` | A comma-separated list of Kubernetes resources you want to filter vulnerabilities for. For example, `nginx,redis`.   |
+| `CIS_RESOURCE_NAMESPACES` | `""` | A comma-separated list of namespaces of the Kubernetes resources you want to filter vulnerabilities for. For example, `production,staging`.   |
+| `CIS_RESOURCE_KINDS` | `""` | A comma-separated list of the kinds of Kubernetes resources to filter vulnerabilities for. For example, `deployment,pod`. |
 | `CIS_CLUSTER_IDENTIFIER` | `""` | ID of the Kubernetes cluster integrated with GitLab. This is used to map vulnerabilities to the cluster so they can be filtered in the Vulnerability Report page. |

 #### Override the cluster image scanning template

--- a/ee/app/services/security/security_orchestration_policies/cluster_image_scanning_ci_variables_service.rb
+++ b/ee/app/services/security/security_orchestration_policies/cluster_image_scanning_ci_variables_service.rb
@@ -20,10 +20,10 @@ module Security
        return SCAN_VARIABLES if resource_filters.blank?

        SCAN_VARIABLES.merge({
-          'CIS_CONTAINER_NAME' => resource_filter_value(resource_filters[:containers]),
-          'CIS_RESOURCE_NAME' => resource_filter_value(resource_filters[:resources]),
-          'CIS_RESOURCE_NAMESPACE' => resource_filter_value(resource_filters[:namespaces]),
-          'CIS_RESOURCE_KIND' => resource_filter_value(resource_filters[:kinds])
+          'CIS_CONTAINER_NAMES' => resource_filter_value(resource_filters[:containers]),
+          'CIS_RESOURCE_NAMES' => resource_filter_value(resource_filters[:resources]),
+          'CIS_RESOURCE_NAMESPACES' => resource_filter_value(resource_filters[:namespaces]),
+          'CIS_RESOURCE_KINDS' => resource_filter_value(resource_filters[:kinds])
        }.compact)
      end

@@ -40,12 +40,9 @@ module Security
      end

      def resource_filter_value(filter_values)
-        # TODO: Add support for multiple values in filter (modify analyzer to support that).
        return if filter_values.blank?

-        filter_values
-          .compact
-          .first
+        filter_values.compact.join(",")
      end
    end
  end

--- a/ee/spec/services/security/security_orchestration_policies/cluster_image_scanning_ci_variables_service_spec.rb
+++ b/ee/spec/services/security/security_orchestration_policies/cluster_image_scanning_ci_variables_service_spec.rb
@@ -34,15 +34,15 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ClusterImageScanningCiVa
    subject(:generated_variables) { service.execute(action) }

    shared_examples 'with cluster image scanning resource filters' do
-      it 'generates CI variable values with first value for each resource filter' do
+      it 'generates comma-separated CI variable values for each resource filter' do
        ci_variables, _ = generated_variables

        expect(ci_variables).to eq(
          'CLUSTER_IMAGE_SCANNING_DISABLED' => nil,
-          'CIS_CONTAINER_NAME' => 'nginx',
-          'CIS_RESOURCE_NAME' => 'nginx-www',
-          'CIS_RESOURCE_NAMESPACE' => 'gitlab-production',
-          'CIS_RESOURCE_KIND' => 'deployment'
+          'CIS_CONTAINER_NAMES' => 'nginx,falco',
+          'CIS_RESOURCE_NAMES' => 'nginx-www,nginx-admin',
+          'CIS_RESOURCE_NAMESPACES' => 'gitlab-production,cluster-apps',
+          'CIS_RESOURCE_KINDS' => 'deployment,daemonset'
        )
      end
    end

--- a/ee/spec/services/security/security_orchestration_policies/create_pipeline_service_spec.rb
+++ b/ee/spec/services/security/security_orchestration_policies/create_pipeline_service_spec.rb
@@ -103,7 +103,7 @@ RSpec.describe Security::SecurityOrchestrationPolicies::CreatePipelineService do
                masked: false
              ),
              {
-                key: 'CIS_RESOURCE_NAMESPACE',
+                key: 'CIS_RESOURCE_NAMESPACES',
                masked: false,
                public: true,
                value: 'gitlab-namespace'