Spike Come up with PoC for pipeline execution policy as stand alone policy
Time-box: 3 days
In a sync session with @fabiopitino and @Andysoiron we discussed the limitations of the current implementation of pipeline execution policies. Embedding pipeline execution policies as custom scan type in scan execution policies adds a few inconsistencies:
- The CI configuration in a
custom
scan type doesn't have to be a scan. It can be any CI job so custom scan is not the right wording. - There is no need for multiple actions in one policy. All jobs can be combined in a single CI configuration. Merging multiple scan actions comes with unnecessary complexity.
- Trigger conditions become obsolete because the same can be archived by workflow rules.
Proposal
We can introduce a new policy type that only consists of name
, description
, content
with content
being a CI configuration.
When running a pipeline, the new policy type will be evaluated separately from scan execution policies and will just be into the project CI. This way we will have a clear separation, resulting in a less complex workflow logic.
The new policy type will be able to archive the same results as the current scan execution policies (except schedule triggers) with less logic. Trigger conditions can be implemented using workflow
rules, scan jobs can be added using include
.
Schema
"properties": {
"name": {
"description": "Name for the policy.",
"minLength": 1,
"maxLength": 255,
"type": "string"
},
"description": {
"description": "Specifies the longer description of the policy.",
"type": "string"
},
"content": {
"$ref": "./gitlab_ci.json"
}
Example policy
name: "Secret detection"
description: "triggers all protected branches except main"
enabled: true
content:
workflow:
rules:
- if: $CI_COMMIT_REF_PROTECTED == false || $CI_COMMIT_REF_NAME == 'main'
when: never
include:
- template: Jobs/Secret-Detection.gitlab-ci.yml
Goal
The goal of this spike issue is to come up with a proof of concept MR to record a demo video and learn more about the potential and challenges of this approach.