Allow security reports to be read for pipelines with a Blocked/Incomplete state
Release notes
Problem to solve
Currently security reports are not read when pipelines are in a Blocked/Incomplete state. This can happen due to several reasons:
- A job fails and is configured with
allow_failure: false - A pipeline has a manual job where the manual job is required to complete for the entire pipeline to be considered as complete.
| Pipeline Status | Pipeline Completion | Vulnerability Report | Dependency List |
|---|---|---|---|
| Success | Complete |
|
|
| Failed | Complete |
|
Will be addressed in &7886 |
| Blocked | Incomplete |
|
|
| Blocked |
Manual Jobs Specifically for Automatic Review Environment Destruction ("on_stop") |
Will be addressed in #439691 (closed) |
Important considerations
Potentially, if we do allow vulnerabilities and dependencies to be read even when the pipeline is in a Blocked/Incomplete state, this could complicate our Security Approvals feature. Prior to implementing this, we need to verify whether it might be possible for a developer to work around the approval by having one of the jobs fail in a way that prevented the security scans from running. If they are then able to merge in their code without security approval, this would then be a breach of the established security approval rule.
As part of this feature, we may need to analyze the project settings for any MRs that have pipelines in a Blocked/Incomplete state. If they have at least one Security Approval policy configured, then we may need to gate the MR on that policy regardless of whether or not vulnerabilities were discovered. This gets to be a complicated scenario to explain, so we will need to design some good in-product messaging to make it clear why the security approval is required even though vulnerabilities may not have been found.
Additionally, it is possible that scan results will change once the pipeline later completes, especially if it is blocked on a manual job. We will need to design carefully for how changing security results will be displayed and communicated in the UI during this time.
Intended users
User experience goal
Proposal
Read reports from pipelines in which all security builds have completed
- Evaluate whether a
Ci::Pipeline#complete_and_has_reports?to return true if all builds with security-type report artifacts have already completed - Return
falseif downstream jobs are present in pipeline
See thread below for further discussion
Further details
Permissions and Security
Documentation
Availability & Testing
Available Tier
What does success look like, and how can we measure that?
Is this a cross-stage feature?
Potentially. This impacts both the Dependency List and the Vulnerability Report for groupthreat insights as well as security approvals from groupsecurity policies. Depending on the solution, it may also require working in grouppipeline execution's area.
Links / references
Related issues:
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.