Draft: RapidFort Pipeline Updates
Description
- Add RapidFort jobs for loading RapidFort coverage scripts and running the stub image generation, coverage tests, and rbom report steps to generate the execution path vulnerabilities report (
rapidfort_rbom.json) for the container image.- By default, the RapidFort pipeline jobs will not be enabled for the pipeline.
- The RapidFort jobs can be enabled by setting the environment variable
ENABLE_RF=true.
- The RapidFort jobs can be enabled by setting the environment variable
- The RapidFort pipeline jobs are configured to allow failures (
allow_failure: true) so that any issues will not block the rest of the pipeline. - The RapidFort pipeline jobs are configured with timeouts
- By default, the RapidFort pipeline jobs will not be enabled for the pipeline.
- Add RapidFort vulnerabilities report parsing to VAT (
vat_import.py).- By default, the RapidFort findings will not be published to VAT until VAT adds RapidFort to the list of approved vendors. This code is currently controlled by an environment variable,
ENABLE_RF_VAT.- The execution path vulnerabilities report will continue be available as an artifact from the
rapidfort-scanstage.
- The execution path vulnerabilities report will continue be available as an artifact from the
- By default, the RapidFort findings will not be published to VAT until VAT adds RapidFort to the list of approved vendors. This code is currently controlled by an environment variable,
Risk
The RapidFort pipeline jobs may fail for various reasons, including issues with reaching the RapidFort platform or running coverage tests. Each job has a timeout and is allowed to fail without blocking the pipeline. The RapidFort jobs can be disabled for the pipeline via the ENABLE_RF environment variable.
Rollback Plan
The RapidFort jobs can be disabled for the pipeline via the ENABLE_RF environment variable.
Testing
The RapidFort pipeline updates have been tested in the staging environments (Mario and Zelda).
- By default, the RapidFort jobs are not enabled in the pipeline
- The RapidFort jobs are enabled and run if the
ENABLE_RFenvironment variable is set
- The RapidFort jobs are enabled and run if the
- If a RapidFort pipeline job fails (e.g. due to a simulated/induced error during testing), the pipeline continues without being blocked
- By default, RapidFort findings are not published to VAT so that the VAT stage will continue to pass
- The RapidFort execution path vulnerabilities report (
rapidfort_rbom.json) is available as an artifact from therapidfort-scanstage