Security Policy not applying trigger conditions correctly
Summary
Bug has been confirmed on Gitlab.com
and tested with a Scan Execution Policy set on a group level.
When selecting the trigger condition to all default branches
or specific protected branches
and this is applied to a project that has no .gitlab-ci.yml
configured, Gitlab attempts to create a pipeline for all branches but fails due to no jobs on branches that do not match the above trigger conditions.
Example: if the trigger is set to only trigger on default branches then the below error pipeline is generated on non-protected branches.
On projects that do have CI configured with jobs to run in non-default branches work as expected. The security policy jobs are not included on these pipelines.
Steps to reproduce
- Create scan execution policy on a group level using the below:
type: scan_execution_policy
name: Test_policy
description: ''
enabled: true
rules:
- type: pipeline
branch_type: default
actions:
- scan: sast_iac
- Create a new blank project. (don't create any ci file)
- Create a new branch
- Take a look at the pipeline error
Example Project
Yes See below: https://gitlab.com/cmarais_ultimate_group/ticket_work/478646_scan_execution_policy_bug/policy_group/blank_project
What is the current bug behavior?
On projects that have no CI jobs configured the security policy attempts to create a pipeline without any jobs on branches that do not match the trigger conditions. This results in failed pipelines being generated.
What is the expected correct behavior?
Not to attempt to create the pipeline if there are no jobs to add and avoid failed pipelines from being created.
Relevant logs and/or screenshots
Output of checks
Possible fixes
Implementation plan
diff --git a/ee/lib/gitlab/ci/config/security_orchestration_policies/processor.rb b/ee/lib/gitlab/ci/config/security_orchestration_policies/processor.rb
index 4ef52b5681b4..d2d2c019aa2a 100644
--- a/ee/lib/gitlab/ci/config/security_orchestration_policies/processor.rb
+++ b/ee/lib/gitlab/ci/config/security_orchestration_policies/processor.rb
@@ -26,6 +26,8 @@ def perform
return @config if valid_security_orchestration_policy_configurations.blank?
return @config unless extend_configuration?
+ @config[:workflow] = { rules: [ when: 'always' ]} if @config.empty?
+
merged_config = @config.deep_merge(merged_security_policy_config)
if custom_scan_actions_enabled? && active_scan_custom_actions.any?