Allow users to identify the specific compliance pipeline definition that was used for a given pipeline
This issue and linked pages contain information related to upcoming products, features, and functionality. It is important to note that the information presented is for informational purposes only. Please do not rely on this information for purchasing or planning purposes. As with all projects, the items mentioned in this video and linked pages are subject to change or delay. The development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.
Release notes
Problem to solve
"As Cameron, I need to be able to show my organization is following policies and generate records to prove it. I have implemented Compliance Pipelines for a project, but I'm not confident I can show what compliance pipeline was used for a specific pipeline run in the past. This information isn't readily available, so I have to cross-reference the date of the pipeline, then look at the audit log of the project to find out what Compliance Framework was applied at the time, and then look at the Git commit history of the compliance pipeline file to see the specific version. This works, but is hard to do, time consuming, and fragile. I'd prefer if there was an easy way to get a direct link to the exact compliance pipeline definition that was used instead."
Proposal
Create a new API that takes a pipeline ID and returns the specific compliance framework definition that was used with it.
Proposed Pseudocode:
def get_compliance_pipeline_config(pipeline_id):
the_pipeline = get_pipeline(pipeline_id)
the_project = get_project(the_pipeline)
compliance_framework = the_project.get_compliance_framework(the_pipeline.date) # Key! We need historical value, not current value
compliance_pipeline_configuration = compliance_framework.get_pipeline_configuration(the_pipeline.date)# Key! We need historical value, not current value
return compliance_pipeline_configuration
Important note: The goal of this API is to get the historical compliance pipeline configuration that was used for a pipeline. That is, the API should not just return the compliance framework's current pipeline file (which is already possible today with GraphQL). Instead, the API should return a link to the exact file that was used at that time.
Show any content that was pulled into the pipeline definition from other sources, such as include
as well.
- Question: Is there a sort of "evaluated pipeline" artifact that has all the variables & includes completed? We could consider serving that. We'd have to check protected variables to ensure we don't leak info with that approach too.
What is the type of buyer?
Open Questions
- Should the API be REST or GraphQL? Get input from engineering. Presumably GraphQL since our compliance framework APIs are GraphQL, but perhaps not if pipeline APIs are REST.
- Where and how could we surface this in the UI, beyond just an API?
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.