Skip to content

Allow security reports to be read for pipelines blocked by manual jobs

Aim

This issue aims to solve

  1. A pipeline has a manual job where the manual job is required to complete for the entire pipeline to be considered as complete

mentioned in #346843 (closed)

as we want to address the manual jobs blockage scenario first based on the discussion in #346843 (comment 1729865302)

Sam: I believe we could greatly simplify this issue if we read security reports for pipelines that are only blocked/incomplete due to manual jobs that have not been run yet. As far as I can tell, that would solve for 95%+ of the user pain points here. If we try to read all blocked/incomplete reports, I could see that causing other problems...

Temporary workaround

We can suggest customers to run the security scans in a child pipeline if they want to see the results before completing a manual job as a temporary solution.. Update: MR widget does not work if security reports are running in child pipelines, so workaround is not recommended. See: #439700 (closed)

See: #346843 (comment 1749240812)

Implementation

Proposal

  1. Include :manual state also to perform security reports ingestion logic. Similar to !142351 (diffs)
  2. During manual -> success/fail pipeline state transition skip security reports re-ingestion by checking the security jobs using the deduplication relay. See: #346843 (comment 1749240812)

Verification Steps

Verification project: https://gitlab.com/gitlab-org/govern/threat-insights-demos/verification-projects/439691-reports-blocked-by-manual-jobs

  1. Can be setup by importing the verification project above.
  2. Run a pipeline on the main branch and allow the pipeline to show blocked status.
  3. Refresh the same pipeline page and now visit the security tab and we should observe the vulnerabilities being displayed.
  4. Create an MR from the branch branch-with-new-vulnerability that is already imported along with the project which introduces a new vulnerability (See: gitlab-org/govern/threat-insights-demos/verification-projects/439691-reports-blocked-by-manual-jobs!1).
  5. Run a new pipeline on the MR and wait for the pipeline state to change to blocked and refresh the MR page and we should observe that the MR security widget is showing one new critical vulnerability being detected.

See MR before and after screenshot images for reference.

Edited by Bala Kumar