refactor: parameterize DefectDojo integration with per-branch scan isolation

SergK · SergK · commit ec69566ed011 · 2026-02-20T18:02:58.000+02:00
Enable independent security scan tracking per git branch in DefectDojo.
Previously, all branches shared a single engagement per product, causing
scan results to overwrite each other — scanning release/1.0 would replace
main findings. Now each branch gets its own isolated engagement via
automatic name suffixing (e.g., code-security-main, code-security-release/1.0).

DefectDojo object model per codebase:

  Product Type: KubeRocketCI (configurable via DD_PRODUCT_TYPE_NAME)
  └── Product: &lt;CODEBASE_NAME&gt;
      ├── Engagement: code-security-main
      │   ├── Test: Semgrep JSON Report (branch_tag: main)
      │   └── Test: Gitleaks Scan (branch_tag: main)
      └── Engagement: code-security-release/1.0
          ├── Test: Semgrep JSON Report (branch_tag: release/1.0)
          └── Test: Gitleaks Scan (branch_tag: release/1.0)

Re-scanning a branch only affects its own engagement. New branches are
auto-created on first scan via auto_create_context. The branch_tag field
on each Test provides audit traceability.

Technical changes:
- Add DD_PRODUCT_TYPE_NAME, DD_ENGAGEMENT_NAME, DD_VERSION, DD_BRANCH_TAG
  params across security, image-scan, and image-scan-remote tasks
- Construct engagement name as DD_ENGAGEMENT_NAME-CODEBASE_BRANCH in the
  security task for branch isolation
- Merge redundant PROJECT_NAME into CODEBASE_NAME (always same value)
- Rename PROJECT_BRANCH to CODEBASE_BRANCH for naming consistency
- Use curl --data-urlencode for GET requests to handle special characters
  in branch names (e.g., release/1.0)
- Conditionally pass version and branch_tag to reimport-scan API to avoid
  overwriting existing DefectDojo metadata with empty values
- Remove hardcoded product_type_name=Tenant and engagement_name values

Signed-off-by: Sergiy Kulanov &lt;sergiy_kulanov@epam.com&gt;
diff --git a/charts/pipelines-library/templates/pipelines/security/security-scan-bitbucket.yaml b/charts/pipelines-library/templates/pipelines/security/security-scan-bitbucket.yaml
@@ -74,13 +74,9 @@ spec:
       runAfter:
         - init-values
       params:
-        - name: DD_PRODUCT_NAME
-          value: $(tasks.init-values.results.TENANT_NAME)
-        - name: DD_ENGAGEMENT_NAME
-          value: "$(params.CODEBASE_NAME)-$(params.git-source-revision)"
-        - name: PROJECT_NAME
+        - name: CODEBASE_NAME
           value: $(params.CODEBASE_NAME)
-        - name: PROJECT_BRANCH
+        - name: CODEBASE_BRANCH
           value: $(params.git-source-revision)
       workspaces:
         - name: source
diff --git a/charts/pipelines-library/templates/pipelines/security/security-scan-gerrit.yaml b/charts/pipelines-library/templates/pipelines/security/security-scan-gerrit.yaml
@@ -69,13 +69,9 @@ spec:
       runAfter:
         - init-values
       params:
-        - name: DD_PRODUCT_NAME
-          value: $(tasks.init-values.results.TENANT_NAME)
-        - name: DD_ENGAGEMENT_NAME
-          value: "$(params.CODEBASE_NAME)-$(params.git-source-revision)"
-        - name: PROJECT_NAME
+        - name: CODEBASE_NAME
           value: $(params.CODEBASE_NAME)
-        - name: PROJECT_BRANCH
+        - name: CODEBASE_BRANCH
           value: $(params.git-source-revision)
       workspaces:
         - name: source
diff --git a/charts/pipelines-library/templates/pipelines/security/security-scan-github.yaml b/charts/pipelines-library/templates/pipelines/security/security-scan-github.yaml
@@ -74,13 +74,9 @@ spec:
       runAfter:
         - init-values
       params:
-        - name: DD_PRODUCT_NAME
-          value: $(tasks.init-values.results.TENANT_NAME)
-        - name: DD_ENGAGEMENT_NAME
-          value: "$(params.CODEBASE_NAME)-$(params.git-source-revision)"
-        - name: PROJECT_NAME
+        - name: CODEBASE_NAME
           value: $(params.CODEBASE_NAME)
-        - name: PROJECT_BRANCH
+        - name: CODEBASE_BRANCH
           value: $(params.git-source-revision)
       workspaces:
         - name: source
diff --git a/charts/pipelines-library/templates/pipelines/security/security-scan-gitlab.yaml b/charts/pipelines-library/templates/pipelines/security/security-scan-gitlab.yaml
@@ -74,13 +74,9 @@ spec:
       runAfter:
         - init-values
       params:
-        - name: DD_PRODUCT_NAME
-          value: $(tasks.init-values.results.TENANT_NAME)
-        - name: DD_ENGAGEMENT_NAME
-          value: "$(params.CODEBASE_NAME)-$(params.git-source-revision)"
-        - name: PROJECT_NAME
+        - name: CODEBASE_NAME
           value: $(params.CODEBASE_NAME)
-        - name: PROJECT_BRANCH
+        - name: CODEBASE_BRANCH
           value: $(params.git-source-revision)
       workspaces:
         - name: source
diff --git a/charts/pipelines-library/templates/tasks/image-scan-remote.yaml b/charts/pipelines-library/templates/tasks/image-scan-remote.yaml
@@ -25,9 +25,8 @@ spec:
         `repository/image:tag` or `repository/image`.
     - name: COMPONENT_NAME
       type: string
-      description: Name of the component to which the images belong.
-        Pipeline will use this name to create/update the appropriate
-        Engagement with scan reports in DefectDojo.
+      description: Name of the codebase/component to which the images belong.
+        Used as the DefectDojo product name for scan report tracking.
     - name: BASE_IMAGE_AWS_CLI
       type: string
       description: AWS CLI image
@@ -49,6 +48,22 @@ spec:
       type: string
       description: The name of the Grype scan report
       default: image-scan-grype-report.json
+    - name: DD_PRODUCT_TYPE_NAME
+      type: string
+      description: DefectDojo product type name
+      default: "KubeRocketCI"
+    - name: DD_ENGAGEMENT_NAME
+      type: string
+      description: DefectDojo engagement name
+      default: "container-security"
+    - name: DD_VERSION
+      type: string
+      description: Version that will be set on the DefectDojo Test object
+      default: ""
+    - name: DD_BRANCH_TAG
+      type: string
+      description: Branch or tag that was scanned, recorded on the DefectDojo Test object
+      default: ""
     - name: ci-defectdojo
       type: string
       description: Name of the secret holding the DefectDojo CI integration data
@@ -145,19 +160,25 @@ spec:
             secretKeyRef:
               key: url
               name: $(params.ci-defectdojo)
-        - name: DD_PRODUCT_NAME
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
       script: |
         #!/usr/bin/env sh
         set -e
 
-        PRODUCT_ID=$(curl -s -X GET "${DD_HOST_URL}/api/v2/products/?name_exact=${DD_PRODUCT_NAME}" \
+        PRODUCT_ID=$(curl -s -G "${DD_HOST_URL}/api/v2/products/" \
+          --data-urlencode "name_exact=$(params.COMPONENT_NAME)" \
           -H "accept: application/json" \
           -H "Authorization: Token ${DD_TOKEN}" \
           | jq -r '.results[0].id')
 
+        DD_VERSION_ARG=""
+        DD_BRANCH_TAG_ARG=""
+        if [ -n "$(params.DD_VERSION)" ]; then
+          DD_VERSION_ARG="-F version=$(params.DD_VERSION)"
+        fi
+        if [ -n "$(params.DD_BRANCH_TAG)" ]; then
+          DD_BRANCH_TAG_ARG="-F branch_tag=$(params.DD_BRANCH_TAG)"
+        fi
+
         for IMAGE in "$@"; do
           COMPONENT_NAME=$(basename "${IMAGE%%:*}")
 
@@ -178,19 +199,23 @@ spec:
               -F "verified=false" \
               -F "scan_type=${SCAN_TYPE}" \
               -F "file=@${REPORT_NAME};type=application/json" \
-              -F "product_type_name=Tenant" \
-              -F "product_name=${DD_PRODUCT_NAME}" \
-              -F "engagement_name=$(params.COMPONENT_NAME)" \
+              -F "product_type_name=$(params.DD_PRODUCT_TYPE_NAME)" \
+              -F "product_name=$(params.COMPONENT_NAME)" \
+              -F "engagement_name=$(params.DD_ENGAGEMENT_NAME)" \
               -F "auto_create_context=true" \
               -F "close_old_findings=true" \
               -F "push_to_jira=false" \
               -F "environment=Development" \
-              -F "test_title=${COMPONENT_NAME}" \
-              -F "tags=${IMAGE%:*}"
+              -F "test_title=${SCAN_TYPE}" \
+              -F "tags=${IMAGE%:*}" \
+              ${DD_VERSION_ARG} \
+              ${DD_BRANCH_TAG_ARG}
           done
         done
 
-        ENGAGEMENT_ID=$(curl -s -X GET "${DD_HOST_URL}/api/v2/engagements/?product=${PRODUCT_ID}&name=$(params.COMPONENT_NAME)" \
+        ENGAGEMENT_ID=$(curl -s -G "${DD_HOST_URL}/api/v2/engagements/" \
+          --data-urlencode "product=${PRODUCT_ID}" \
+          --data-urlencode "name=$(params.DD_ENGAGEMENT_NAME)" \
           -H "accept: application/json" \
           -H "Authorization: Token ${DD_TOKEN}" \
           | jq -r '.results[0].id')
diff --git a/charts/pipelines-library/templates/tasks/image-scan.yaml b/charts/pipelines-library/templates/tasks/image-scan.yaml
@@ -39,10 +39,24 @@ spec:
       type: string
       description: The name of the Grype scan report
       default: image-scan-grype-report.json
-    - name: DD_PRODUCT_NAME
+    - name: CODEBASE_NAME
       type: string
+    - name: DD_PRODUCT_TYPE_NAME
+      type: string
+      description: DefectDojo product type name
+      default: "KubeRocketCI"
     - name: DD_ENGAGEMENT_NAME
       type: string
+      description: DefectDojo engagement name
+      default: "container-security"
+    - name: DD_VERSION
+      type: string
+      description: Version that will be set on the DefectDojo Test object
+      default: ""
+    - name: DD_BRANCH_TAG
+      type: string
+      description: Branch or tag that was scanned, recorded on the DefectDojo Test object
+      default: ""
     - name: ci-defectdojo
       type: string
       description: name of the secret holding the DefectDojo CI integration data
@@ -89,6 +103,15 @@ spec:
         #!/usr/bin/env sh
         set -e
 
+        DD_VERSION_ARG=""
+        DD_BRANCH_TAG_ARG=""
+        if [ -n "$(params.DD_VERSION)" ]; then
+          DD_VERSION_ARG="-F version=$(params.DD_VERSION)"
+        fi
+        if [ -n "$(params.DD_BRANCH_TAG)" ]; then
+          DD_BRANCH_TAG_ARG="-F branch_tag=$(params.DD_BRANCH_TAG)"
+        fi
+
         for REPORT_NAME in $(params.TRIVY_SCAN_REPORT) $(params.GRYPE_SCAN_REPORT)
         do
             SCAN_TYPE=""
@@ -108,13 +131,15 @@ spec:
                 -F "verified=false" \
                 -F "scan_type=${SCAN_TYPE}" \
                 -F "file=@${REPORT_NAME};type=application/json" \
-                -F "product_type_name=Tenant" \
-                -F "product_name=$(params.DD_PRODUCT_NAME)" \
+                -F "product_type_name=$(params.DD_PRODUCT_TYPE_NAME)" \
+                -F "product_name=$(params.CODEBASE_NAME)" \
                 -F "engagement_name=$(params.DD_ENGAGEMENT_NAME)" \
                 -F "auto_create_context=true" \
                 -F "close_old_findings=true" \
                 -F "push_to_jira=false" \
                 -F "environment=Development" \
-                -F "test_title=security-scan"
+                -F "test_title=${SCAN_TYPE}" \
+                ${DD_VERSION_ARG} \
+                ${DD_BRANCH_TAG_ARG}
         done
 {{ end }}
diff --git a/charts/pipelines-library/templates/tasks/security.yaml b/charts/pipelines-library/templates/tasks/security.yaml
@@ -42,20 +42,26 @@ spec:
     - name: GITLEAKS_SCAN_REPORT
       type: string
       default: "gitleaks-report.json"
-    - name: DD_PRODUCT_NAME
+    - name: CODEBASE_NAME
       type: string
+      description: Project name, used as DefectDojo product name and Dependency-Track project name
       default: ""
-    - name: DD_ENGAGEMENT_NAME
-      type: string
-      default: ""
-    - name: PROJECT_NAME
-      description: That is the name of the project that will be updated/created on the dependency track side
+    - name: CODEBASE_BRANCH
+      description: Git branch or tag being scanned
       default: ''
       type: string
-    - name: PROJECT_BRANCH
-      description: That is the branch of the project that will be updated/created on the dependency track side
-      default: ''
+    - name: DD_PRODUCT_TYPE_NAME
+      type: string
+      description: DefectDojo product type name
+      default: "KubeRocketCI"
+    - name: DD_ENGAGEMENT_NAME
       type: string
+      description: DefectDojo engagement name
+      default: "code-security"
+    - name: DD_VERSION
+      type: string
+      description: Version that will be set on the DefectDojo Test object
+      default: ""
     - name: ci-dependency-track
       type: string
       description: Name of the secret holding the ci-dependency-track api token
@@ -121,9 +127,9 @@ spec:
               key: url
               optional: true
         - name: PROJECT_NAME
-          value: $(params.PROJECT_NAME)
+          value: $(params.CODEBASE_NAME)
         - name: PROJECT_BRANCH
-          value: $(params.PROJECT_BRANCH)
+          value: $(params.CODEBASE_BRANCH)
       image: $(params.BASE_IMAGE_CDXGEN)
       name: cdxgen
       computeResources: {}
@@ -161,11 +167,24 @@ spec:
           exit 0
         fi
 
-        PRODUCT_ID=$(curl -s -X GET "${DD_HOST_URL}/api/v2/products/?name_exact=$(params.DD_PRODUCT_NAME)" \
+        PRODUCT_ID=$(curl -s -G "${DD_HOST_URL}/api/v2/products/" \
+          --data-urlencode "name_exact=$(params.CODEBASE_NAME)" \
           -H "accept: application/json" \
           -H "Authorization: Token ${DD_TOKEN}" \
           | jq -r '.results[0].id')
 
+        ENGAGEMENT_NAME="$(params.DD_ENGAGEMENT_NAME)"
+        DD_BRANCH_TAG_ARG=""
+        if [ -n "$(params.CODEBASE_BRANCH)" ]; then
+          ENGAGEMENT_NAME="${ENGAGEMENT_NAME}-$(params.CODEBASE_BRANCH)"
+          DD_BRANCH_TAG_ARG="-F branch_tag=$(params.CODEBASE_BRANCH)"
+        fi
+
+        DD_VERSION_ARG=""
+        if [ -n "$(params.DD_VERSION)" ]; then
+          DD_VERSION_ARG="-F version=$(params.DD_VERSION)"
+        fi
+
         for REPORT_NAME in $(params.SEMGREP_SCAN_REPORT) $(params.GITLEAKS_SCAN_REPORT)
         do
             SCAN_TYPE=""
@@ -185,17 +204,21 @@ spec:
                 -F "verified=false" \
                 -F "scan_type=${SCAN_TYPE}" \
                 -F "file=@${REPORT_NAME};type=application/json" \
-                -F "product_type_name=Tenant" \
-                -F "product_name=$(params.DD_PRODUCT_NAME)" \
-                -F "engagement_name=$(params.DD_ENGAGEMENT_NAME)" \
+                -F "product_type_name=$(params.DD_PRODUCT_TYPE_NAME)" \
+                -F "product_name=$(params.CODEBASE_NAME)" \
+                -F "engagement_name=${ENGAGEMENT_NAME}" \
                 -F "auto_create_context=true" \
                 -F "close_old_findings=true" \
                 -F "push_to_jira=false" \
                 -F "environment=Development" \
-                -F "test_title=security"
+                -F "test_title=${SCAN_TYPE}" \
+                ${DD_VERSION_ARG} \
+                ${DD_BRANCH_TAG_ARG}
         done
 
-        ENGAGEMENT_ID=$(curl -s -X GET "${DD_HOST_URL}/api/v2/engagements/?product=${PRODUCT_ID}&name=$(params.DD_ENGAGEMENT_NAME)" \
+        ENGAGEMENT_ID=$(curl -s -G "${DD_HOST_URL}/api/v2/engagements/" \
+          --data-urlencode "product=${PRODUCT_ID}" \
+          --data-urlencode "name=${ENGAGEMENT_NAME}" \
           -H "accept: application/json" \
           -H "Authorization: Token ${DD_TOKEN}" \
           | jq -r '.results[0].id')
