Security Policy not applying trigger conditions correctly

Summary

Bug has been confirmed on Gitlab.com and tested with a Scan Execution Policy set on a group level.

When selecting the trigger condition to all default branches or specific protected branches and this is applied to a project that has no .gitlab-ci.yml configured, Gitlab attempts to create a pipeline for all branches but fails due to no jobs on branches that do not match the above trigger conditions.

Example: if the trigger is set to only trigger on default branches then the below error pipeline is generated on non-protected branches. Screenshot_2023-12-07_at_11.03.18

On projects that do have CI configured with jobs to run in non-default branches work as expected. The security policy jobs are not included on these pipelines.

Steps to reproduce

  1. Create scan execution policy on a group level using the below:
type: scan_execution_policy
name: Test_policy
description: ''
enabled: true
rules:
  - type: pipeline
    branch_type: default
actions:
  - scan: sast_iac
  1. Create a new blank project. (don't create any ci file)
  2. Create a new branch
  3. Take a look at the pipeline error

Example Project

Yes See below: https://gitlab.com/cmarais_ultimate_group/ticket_work/478646_scan_execution_policy_bug/policy_group/blank_project

What is the current bug behavior?

On projects that have no CI jobs configured the security policy attempts to create a pipeline without any jobs on branches that do not match the trigger conditions. This results in failed pipelines being generated.

What is the expected correct behavior?

Not to attempt to create the pipeline if there are no jobs to add and avoid failed pipelines from being created.

Relevant logs and/or screenshots

Screenshot_2023-12-07_at_11.03.18

Output of checks

Possible fixes

Implementation plan

diff --git a/ee/lib/gitlab/ci/config/security_orchestration_policies/processor.rb b/ee/lib/gitlab/ci/config/security_orchestration_policies/processor.rb
index 4ef52b5681b4..d2d2c019aa2a 100644
--- a/ee/lib/gitlab/ci/config/security_orchestration_policies/processor.rb
+++ b/ee/lib/gitlab/ci/config/security_orchestration_policies/processor.rb
@@ -26,6 +26,8 @@ def perform
             return @config if valid_security_orchestration_policy_configurations.blank?
             return @config unless extend_configuration?
 
+            @config[:workflow] = { rules: [ when: 'always' ]} if @config.empty?
+
             merged_config = @config.deep_merge(merged_security_policy_config)
 
             if custom_scan_actions_enabled? && active_scan_custom_actions.any?
Edited by Andy Schoenen