Security UI configuration tool does not consider non-default config files
Summary
When you go to Security & Compliance > Configuration and try to use the UI to add the config to your pipeline automatically, it does not retrieve the correct pipeline config and creates a merge request that is incorrect. It seems like the UI is hard coded to use only .gitlab-ci.yml
in the root of the project, ignoring the project setting that defines the actual config file location.
Steps to reproduce
- Create a CI config file somewhere else in your project.
- Go to Settings > CI/CD > General pipelines and set CI/CD configuration file to be that new config file.
- Check that pipeline runs with this config. You can also go to the pipeline editor CI/CD > Editor to verify that this is the config file GitLab is using.
- Go to Security & Compliance > Configuration and use the Configure with a merge request option for any scanner.
- Check diff in the MR and see that it does not match the active config file.
What is the current bug behavior?
There are two possible cases and results that arise from this bug. Both happen when your config file is set to anything other than the default:
- Case 1: No
.gitlab-ci.yml
file is present in the root directory. In this case, the UI will create a merge request that adds a new.gitlab-ci.yml
file to the project, that has nothing but theinclude:
and notes. This pipeline will never run, so the scanner will never work. - Case 2: A
.gitlab-ci.yml
config file IS present in the root directory, but the project has been configured to use a different one. In this case, the UI will create a merge request that is very confusing, because it'll be modifying the wrong config file. Again, if you merge that change, the scanner doesn't actually run, because that config file is never used.
Possible fixes
Just like the pipeline editor does, this Configure with a merge request option for all scanners should be updated to use the value set in the CI/CD configuration file setting, not hard coded to a root .gitlab-ci.yml
.