Scan execution policy CI variable SECRET_DETECTION_RULESET_GIT_REFERENCE not being applied in scan
Summary
When creating a project-level scan execution policy with a secret detection action and CI variable SECRET_DETECTION_RULESET_GIT_REFERENCE: '<some custom path in the group level>'
the secret detection job in the pipeline does not use the updated path.
Steps to reproduce
TODO: Complete the steps to reproduce from this video scenario
- Create a new project.
- Add a simple
.gitlab-ci.yml
(See.gitlab-ci.yml
example). - Create a new security policy.
- On the projects left sidebar, select Security & Compliance and Policies.
- Select New Policy.
- Select Scan execution policy.
- Switch to
.yaml
mode and copy the scan execution policy example below. - Select Configure with a merge request
- Merge the MR 1.Go back to the initial project and start a pipeline
- ???
Example files
`.gitlab-ci.yml` example
# .gitlab-ci.yml
image: busybox:latest
test1:
stage: test
script:
- echo "Do a test here"
- echo "For example run a test suite"
scan execution policy
type: scan_execution_policy
name: test
description: ''
enabled: true
rules:
- type: pipeline
branches:
- '*'
actions:
- scan: secret_detection
variables:
SECRET_DETECTION_HISTORIC_SCAN: 'true'
SECRET_DETECTION_LOG_LEVEL: debug
SECRET_DETECTION_GIT_REFERENCE: >-
$USER_EXT_RULESET_SEC_POL:$EXT_RULESET_SEC_POL@gitlab.com/roche/playground/gitlab-duo/group-security-policies
Example Project
What is the current bug behavior?
What is the expected correct behavior?
When creating a project-level scan execution policy with a secret detection action and CI variable SECRET_DETECTION_RULESET_GIT_REFERENCE: '<some custom path in the group level>'
, the secret detection job in the pipeline should use the updated path
Possible fixes
-
backend verify with groupstatic analysis team, variables are not processed, we just set them in CI Configuration just like you would do normally in .gitlab-ci.yml file (per #420332 (comment 1494381672))
Edited by Andy Schoenen