Allow Secure templates to run in Merge Request only pipelines
Currently our Secure templates only run on branches, but not on Merge Request only pipelines. For example this .gitlab-ci.yml
doesn't add any of the requested jobs in Merge Requests:
include:
- template: Dependency-Scanning.gitlab-ci.yml
- template: License-Scanning.gitlab-ci.yml
- template: SAST.gitlab-ci.yml
workflow:
rules:
- if: $CI_COMMIT_REF_NAME == "master"
when: always
- if: $CI_MERGE_REQUEST_IID
when: always
- when: never
In our templates we use rules like e.g.
- if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /retire.js/
exists:
- 'package.json'
Proposal
Update rules
within sectionsec templates to support MR pipelines using the following configuration (as suggested below):
job:
rules:
- if: $CI_MERGE_REQUEST_IID # Add the job to merge request pipelines if there's an open merge request.
- if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
when: never
- if: $CI_COMMIT_BRANCH # If there's no open merge request, add it to a *branch* pipeline instead.
Implementation plan
-
Introduce .latest.gitlab-ci.yml
templates when missing-
Jobs/SAST.latest.gitlab-ci.yml
| !81847 (merged) -
Jobs/SAST-IaC.latest.gitlab-ci.yml
| !94429 (merged) -
Jobs/Secret-Detection.latest.gitlab-ci.yml
| !81847 (merged) -
Jobs/Dependency-Scanning.latest.gitlab-ci.yml
| !97323 (merged) -
Jobs/Container-Scanning.latest.gitlab-ci.yml
| !97323 (merged) -
Jobs/License-Scanning.latest.gitlab-ci.yml
| !97323 (merged) -
Jobs/DAST.latest.gitlab-ci.yml
| !97886 (merged) -
Jobs/DAST-API.latest.gitlab-ci.yml
| !97886 (merged) -
Jobs/API-Fuzzing.latest.gitlab-ci.yml
| !97886 (merged) -
Jobs/Coverage-Fuzzing.latest.gitlab-ci.yml
| !97886 (merged)
-
-
Update rules
job configurations forlatest
templates withCI_OPEN_MERGE_REQUESTS
configuration described above -
Update documentation to include support for Merge Request pipelines out of the box | !100760 (merged) -
Within MAJOR version release (%16.0), graduate latest
template changes to stable templates
Edited by Lucas Charles