UNCLASSIFIED - NO CUI

Skip to content

Add RapidFort Job

rf_eve requested to merge add-rapidfort-pipeline into master

Description

  • Add RapidFort jobs for loading RapidFort coverage scripts and running the stub image generation, coverage tests, and rbom report steps to generate the execution path vulnerabilities report (rapidfort_rbom.json) for the container image.
    • By default, the RapidFort pipeline jobs will not be enabled for the pipeline.
      • The RapidFort jobs can be enabled by setting the environment variable ENABLE_RF=true.
    • The RapidFort pipeline jobs are configured to allow failures (allow_failure: true) so that any issues will not block the rest of the pipeline.
    • The RapidFort pipeline jobs are configured with timeouts
  • Add RapidFort vulnerabilities report parsing to VAT (vat_import.py).
    • By default, the RapidFort findings will not be published to VAT until VAT adds RapidFort to the list of approved vendors. This code is currently controlled by an environment variable, ENABLE_RF_VAT.
      • The execution path vulnerabilities report will continue be available as an artifact from the rapidfort-scan stage.

Risk

The RapidFort pipeline jobs may fail for various reasons, including issues with reaching the RapidFort platform or running coverage tests. Each job has a timeout and is allowed to fail without blocking the pipeline. The RapidFort jobs can be disabled for the pipeline via the ENABLE_RF environment variable.

Rollback Plan

The RapidFort jobs can be disabled for the pipeline via the ENABLE_RF environment variable.

Testing

The RapidFort pipeline updates have been tested in the staging environments (Mario and Zelda).

  • By default, the RapidFort jobs are not enabled in the pipeline
    • The RapidFort jobs are enabled and run if the ENABLE_RF environment variable is set
  • If a RapidFort pipeline job fails (e.g. due to a simulated/induced error during testing), the pipeline continues without being blocked
  • By default, RapidFort findings are not published to VAT so that the VAT stage will continue to pass
  • The RapidFort execution path vulnerabilities report (rapidfort_rbom.json) is available as an artifact from the rapidfort-scan stage
Edited by Jeffrey Wuebbles

Merge request reports