Add latest changes from gitlab-org/gitlab@master

1 files changed, 65 insertions, 0 deletions

diff --git a/lib/gitlab/ci/templates/Security/BAS.latest.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/BAS.latest.gitlab-ci.yml
new file mode 100644
index 00000000000..b626a7ca770
--- /dev/null
+++ b/lib/gitlab/ci/templates/Security/BAS.latest.gitlab-ci.yml
@@ -0,0 +1,65 @@
+# To contribute improvements to CI/CD templates, please follow the Development guide at:
+# https://docs.gitlab.com/ee/development/cicd/templates.html
+# This specific template is located at:
+# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/BAS.latest.gitlab-ci.yml
+
+# To use this template, add the following to your .gitlab-ci.yml file:
+#
+# include:
+#   template: BAS.latest.gitlab-ci.yml
+#
+# You also need to add a `dast` stage to your `stages:` configuration. A sample configuration for DAST:
+#
+# stages:
+#   - build
+#   - test
+#   - deploy
+#   - dast
+#
+# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/breach_and_attack_simulation/index.html#extend-dynamic-application-security-testing-dast
+
+# Include the DAST.latest template if $DAST_VERSION is null because this means a DAST template has not been included already.
+include:
+  - template: Security/DAST.latest.gitlab-ci.yml
+    rules:
+      - if: $DAST_VERSION == null
+
+variables:
+  BAS_CALLBACK_IMAGE_TAG: "latest"
+  BAS_DAST_IMAGE_TAG: "latest"
+  # Setting this variable will affect all Security templates
+  # (SAST, Dependency Scanning, ...)
+  SECURE_ANALYZERS_PREFIX: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
+
+dast_with_bas:
+  extends:
+    - dast
+    - .dast_with_bas
+  rules:
+    # Don't add if the DAST+BAS job is disabled.
+    - if: $DAST_BAS_DISABLED == 'true' || $DAST_BAS_DISABLED == '1'
+      when: never
+    # Add the job to merge request pipelines if there's an open merge request.
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
+    - if: $CI_OPEN_MERGE_REQUESTS
+      when: never
+    # If there's no open merge request, add it to a *branch* pipeline instead.
+    - if: $CI_COMMIT_BRANCH
+
+.dast_with_bas:
+  image:
+    name: "$SECURE_ANALYZERS_PREFIX/dast/breach-and-attack-simulation:$BAS_DAST_IMAGE_TAG"
+  variables:
+    DAST_BROWSER_SCAN: "true"
+    DAST_FF_ENABLE_BAS: "true"
+    DAST_FULL_SCAN_ENABLED: "true"
+
+.dast_with_bas_using_services:
+  extends: .dast_with_bas
+  services:
+    - name: "$SECURE_ANALYZERS_PREFIX/callback:$BAS_CALLBACK_IMAGE_TAG"
+      alias: callback
+  variables:
+    DAST_BROWSER_CALLBACK: "Address:http://callback"
+    FF_NETWORK_PER_BUILD: "true"