Order of includes enables compliance pipelines to be ignored/overridden
Summary
Including the "local" project CI file last within the list of templates and files to include enables the compliance framework job to be overridden.
Steps to reproduce
Create a compliance framework pipeline similar to the following:
include:
- template: Jobs/SAST.gitlab-ci.yml
- template: Jobs/SAST-IaC.gitlab-ci.yml
- template: Security/Container-Scanning.gitlab-ci.yml
- template: Jobs/Dependency-Scanning.gitlab-ci.yml
- template: Jobs/License-Scanning.gitlab-ci.yml
- local: "preflight.gitlab-ci.yml"
- project: '$CI_PROJECT_PATH'
file: '$CI_CONFIG_PATH'
ref: '$CI_COMMIT_REF_NAME'
Within the preflight.gitlab-ci.yml
file, specify a job of the following structure:
pipeline-forbidden-cmds:
image: registry.gitlab.com/ctimberlake/ess-gitlab
stage: preflight
script:
- /usr/src/app/check-pipeline.sh .gitlab-ci.yml
rules:
- when: always
Apply this framework to another project, and within that project CI file, define the following job:
pipeline-forbidden-cmds:
image: registry.gitlab.com/ctimberlake/ess-gitlab
stage: preflight
script:
- echo "SCRIPT OVERRIDDEN"
Running the pipeline, you will find that the compliance framework job will be overridden by the local project job. If you move local project include body to the top of the list, the local job will no longer be able to override the compliance framework.
Example Project
What is the current bug behavior?
The compliance framework job is overridden by the local project script.
What is the expected correct behavior?
The compliance framework job, as configured (with a populated script and a when: always
rule should not be able overridden by the local project script.