Merge branch '327508-move-defaults-to-script-apifuzz' into 'master'

Move defaults to script for API Fuzzing CI template

See merge request gitlab-org/gitlab!60171

doc/user/application_security/api_fuzzing/index.md

@@ -599,7 +599,6 @@ repository's root as `.gitlab-api-fuzzing.yml`.
 | `FUZZAPI_TARGET_URL`                                 | Base URL of API testing target. |
 |[`FUZZAPI_CONFIG`](#configuration-files)              | API Fuzzing configuration file. Defaults to `.gitlab-apifuzzer.yml`. |
 |[`FUZZAPI_PROFILE`](#configuration-files)             | Configuration profile to use during testing. Defaults to `Quick`. |
-| `FUZZAPI_REPORT`                                     | Scan report filename. Defaults to `gl-api_fuzzing-report.xml`. |
 |[`FUZZAPI_OPENAPI`](#openapi-specification)           | OpenAPI specification file or URL. |
 |[`FUZZAPI_HAR`](#http-archive-har)                    | HTTP Archive (HAR) file. |
 |[`FUZZAPI_POSTMAN_COLLECTION`](#postman-collection)   | Postman Collection file. |
@@ -611,18 +610,6 @@ repository's root as `.gitlab-api-fuzzing.yml`.
 |[`FUZZAPI_HTTP_USERNAME`](#http-basic-authentication) | Username for HTTP authentication. |
 |[`FUZZAPI_HTTP_PASSWORD`](#http-basic-authentication) | Password for HTTP authentication. |
 
-<!--|[`FUZZAPI_D_TARGET_IMAGE`](#target-container) |API target docker image |
-|[`FUZZAPI_D_TARGET_ENV`](#target-container)   |Docker environment options |
-|[`FUZZAPI_D_TARGET_VOLUME`](#target-container) | Docker volume options |
-|[`FUZZAPI_D_TARGET_PORTS`](#target-container) |Docker port options |
-| `FUZZAPI_D_WORKER_IMAGE`    |Custom worker docker image |
-| `FUZZAPI_D_WORKER_ENV`      |Custom worker docker environment options |
-| `FUZZAPI_D_WORKER_VOLUME`   |Custom worker docker volume options |
-| `FUZZAPI_D_WORKER_PORTS`    |Custom worker docker port options |
-| `FUZZAPI_D_NETWORK`         |Name of docker network, defaults to "testing-net"|
-| `FUZZAPI_D_PRE_SCRIPT`      |Pre script runs after docker login and docker network create, but before starting the scanning image container.|
-| `FUZZAPI_D_POST_SCRIPT`     |Post script runs after scanning image container is started. This is the place to start your target(s) and kick off scanning when using an advanced configuration.| -->
-
 ### Overrides
 
 API Fuzzing provides a method to add or override specific items in your request, for example:

ee/changelogs/unreleased/327508-move-defaults-to-script-apifuzz.yml

+---
+title: Move API Fuzzing variable defaults into script
+merge_request: 60171
+author:
+type: changed

ee/spec/lib/gitlab/ci/templates/api_fuzzing_latest_gitlab_ci_yaml_spec.rb

@@ -75,7 +75,7 @@ RSpec.describe 'API-Fuzzing.latest.gitlab-ci.yml' do
         end
 
         it 'includes job to display error' do
-          expect(build_names).to match_array(%w[apifuzzer_fuzz_unlicensed])
+          expect(build_names).to match_array(%w[apifuzzer_fuzz])
         end
       end
 

lib/gitlab/ci/templates/Security/API-Fuzzing.latest.gitlab-ci.yml

@@ -5,41 +5,13 @@
 # How to set: https://docs.gitlab.com/ee/ci/yaml/#variables
 
 variables:
-    FUZZAPI_PROFILE: Quick
     FUZZAPI_VERSION: "1"
-    FUZZAPI_CONFIG: .gitlab-api-fuzzing.yml
-    FUZZAPI_TIMEOUT: 30
-    FUZZAPI_REPORT: gl-api-fuzzing-report.json
-    FUZZAPI_REPORT_ASSET_PATH: assets
-    #
-    # Wait up to 5 minutes for API Fuzzer and target url to become
-    # available (non 500 response to HTTP(s))
-    FUZZAPI_SERVICE_START_TIMEOUT: "300"
-    #
     SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
     FUZZAPI_IMAGE: ${SECURE_ANALYZERS_PREFIX}/api-fuzzing:${FUZZAPI_VERSION}
-    #
-
-apifuzzer_fuzz_unlicensed:
-    stage: fuzz
-    allow_failure: true
-    rules:
-        - if: '$GITLAB_FEATURES !~ /\bapi_fuzzing\b/ && $API_FUZZING_DISABLED == null'
-        - when: never
-    script:
-        - |
-            echo "Error: Your GitLab project is not licensed for API Fuzzing."
-        - exit 1
 
 apifuzzer_fuzz:
     stage: fuzz
     image: $FUZZAPI_IMAGE
-    variables:
-        FUZZAPI_PROJECT: $CI_PROJECT_PATH
-        FUZZAPI_API: http://localhost:80
-        FUZZAPI_NEW_REPORT: 1
-        FUZZAPI_LOG_SCANNER: gl-apifuzzing-api-scanner.log
-        TZ: America/Los_Angeles
     allow_failure: true
     rules:
         - if: $API_FUZZING_DISABLED
@@ -47,44 +19,16 @@ apifuzzer_fuzz:
         - if: $API_FUZZING_DISABLED_FOR_DEFAULT_BRANCH &&
                 $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
           when: never
-        - if: $CI_COMMIT_BRANCH && $GITLAB_FEATURES =~ /\bapi_fuzzing\b/
+        - if: $CI_COMMIT_BRANCH
     script:
-        #
-        # Validate options
-        - |
-            if [ "$FUZZAPI_HAR$FUZZAPI_OPENAPI$FUZZAPI_POSTMAN_COLLECTION" == "" ]; then \
-                echo "Error: One of FUZZAPI_HAR, FUZZAPI_OPENAPI, or FUZZAPI_POSTMAN_COLLECTION must be provided."; \
-                echo "See https://docs.gitlab.com/ee/user/application_security/api_fuzzing/ for information on how to configure API Fuzzing."; \
-                exit 1; \
-            fi
-        #
-        # Run user provided pre-script
-        - sh -c "$FUZZAPI_PRE_SCRIPT"
-        #
-        # Make sure asset path exists
-        - mkdir -p $FUZZAPI_REPORT_ASSET_PATH
-        #
-        # Start API Security background process
-        - dotnet /peach/Peach.Web.dll &> $FUZZAPI_LOG_SCANNER &
-        - APISEC_PID=$!
-        #
-        # Start scanning
-        - worker-entry
-        #
-        # Run user provided post-script
-        - sh -c "$FUZZAPI_POST_SCRIPT"
-        #
-        # Shutdown API Security
-        - kill $APISEC_PID
-        - wait $APISEC_PID
-        #
+        - /peach/analyzer-fuzz-api
     artifacts:
         when: always
         paths:
-            - $FUZZAPI_REPORT_ASSET_PATH
-            - $FUZZAPI_REPORT
-            - $FUZZAPI_LOG_SCANNER
+            - gl-assets
+            - gl-api-fuzzing-report.json
+            - gl-*.log
         reports:
-            api_fuzzing: $FUZZAPI_REPORT
+            api_fuzzing: gl-api-fuzzing-report.json
 
 # end