Skip to content

Improve scan execution policy permission checks when creating pipelines

Why are we doing this work

Currently, scan execution policies use Ci::CreatePipelineService in order to create new pipelines. The service performs these checks, which need to pass for a pipeline to be created:

  1. The project is not currently being deleted
  2. The project has CI/CD enabled in the settings
  3. The current user is allowed to create pipelines on the project (developer or higher)
  4. The current user is allowed to write to the branch that the pipeline is running for (protected branch settings are taken into account for this)

The last person to make a commit on the security policy is used as the current user (1, 2).

There's a few problems how these checks are currently performed.

  1. Maintainers can disable CI / CD in the settings in order to prevent scan execution policies from being run
  2. The person who last edited the security policy may not have sufficient permissions in all the places which scans should run (ex: Protected branch pipeline on a project which they don't maintain). Security personnel shouldn't need to have excessive permissions added to their account in order for the scan execution policies to work.
  3. When a user leaves the organization, the policies will stop working unless someone else makes an edit to the security policies.

Relevant links

Non-functional requirements

  • Documentation:
  • Feature flag:
  • Performance:
  • Testing:

Implementation plan

  • backend Add a new user type(security_policy_bot) to HasUserType and add security_policy_bot method in app/models/user.rb 
def security_policy_bot
  email_pattern = "security_policy%s@#{Settings.gitlab.host}"

  unique_internal(where(user_type: :security_policy_bot), 'security-policy-bot', email_pattern) do |u|
    u.bio = 'The GitLab Security Policy Bot'
    u.name = 'GitLab Security Policy Bot'
    u.avatar = bot_avatar(image: 'security-policy-bot.png')
  end
end
  • backend Use this user instead of schedule.owner in Security::OrchestrationPolicyRuleScheduleNamespaceWorker and Security::OrchestrationPolicyRuleScheduleWorker
  • backend Update allowed_to_create_pipeline? method in Gitlab::Ci::Pipeline::Chain::Validate::Abilities to check if the user is security_policy_bot 
def allowed_to_create_pipeline?
  current_user.security_policy_bot? || can?(current_user, :create_pipeline, project)
end
  • backend Add a method(ignores_ci_settings?) to Ci::Pipeline and update Gitlab::Ci::Pipeline::Chain::Validate::Abilities to remove the check project.builds_enabled? and create a method builds_enabled? and override that in ee/lib/ee/gitlab/ci/pipeline/chain/validate/abilities.rb to call ignores_ci_settings? method in Ci::Pipeline:
def ignores_ci_settings?
  source == :security_orchestration_policy
end
def builds_enabled?
  project.builds_enabled? || @pipeline.source == :security_orchestration_policy
end
  • documentation Update documentation to reflect the security_policy_bot user type

Verification steps

Edited by Sashi Kumar Kumaresan