Create service to run SecurityOrchestrationPolicies jobs as new pipeline
Why are we doing this work
We want Secret Detection scans to be run according to schedule cadence as mentioned in the policy. Secret Detection scans should run in historic
mode for scheduled scan. Historic mode is typically enabled by setting SECRET_DETECTION_HISTORIC_SCAN
to true
as a CI variable. (See documentation)
Relevant links
Non-functional requirements
-
Documentation: Update doc/user/application_security/policies/index.md
to:- Add
secret_detection
as possible values forscan
field - Reflect normal mode for pipeline job and historic mode for scheduled scan
- Mention that only scans with the default ruleset will be supported.
- Add
-
Feature flag: This is already behind security_orchestration_policies_configuration
flag - [-] Performance:
-
Testing: - Test if the policy with scan type
secret_detection
creates a scheduled secret detection job as mentioned in the policy with the specified branch andcadence
. - Test if a single policy with multiple scan actions(
dast
andsecret_detection
) are also working as expected
- Test if the policy with scan type
Implementation plan
-
backend extend self.sources
method inapp/models/concerns/enums/ci/pipeline.rb
with new value:security_orchestration_policy: 14
, addsecurity_orchestration_policy
to slice arguments inself.dangling_sources
method. -
backend extend dangling_build?
method inlib/gitlab/ci/pipeline/chain/command.rb
withsecurity_orchestration_policy
. -
backend create new service Security::SecurityOrchestrationPolicies::CreatePipelineService
that creates a pipeline with selected security scan usingCi::CreatePipelineService
. -
backend Extend process_action
method inee/app/services/security/security_orchestration_policies/rule_schedule_service.rb
to support new scansecret_detection
and start new pipeline withSecret Detection
job only usingSecurity::SecurityOrchestrationPolicies::CreatePipelineService
. -
backend Set SECRET_DETECTION_HISTORIC_SCAN
CI variable totrue
as mentioned in the requirement:
Any Security Policy secret detection jobs that are run as part of a scheduled scan will run in
history
mode only.
Edited by Sashi Kumar Kumaresan