Skip to content

Variables from settings are not overwritten by PEP if a template is included.

Summary

CI/CD variables from group or project settings are not overwritten by pipeline execution policy if a templates is included.

For example with this CI config as the pipeline execution policy:

# policy-ci.yml
include:
- template: Jobs/SAST.gitlab-ci.yml


variables:
  SAST_EXCLUDED_ANALYZERS: "none"

I expected it shouldn't be possible to overwrite the SAST_EXCLUDED_ANALYZERS variable via project settings but it was still possible. If the variable is used in a pipeline execution job directly, without using the template. It has the expected value of none.

Steps to reproduce

  1. Create a group
  2. Create a project in the group
  3. Add a simple .groovy file. 
    // example.groovy
class Example {
   static void main(String[] args) {
      println('Hello World');
   }
}
  4. Create another project in the group.
  5. Add a policy CI/CD config file to the project. 
    # policy-ci.yml
include:
- template: Jobs/SAST.gitlab-ci.yml
  6. Go back to the group.
  7. On the project's left sidebar, select Security & Compliance and Policies.
  8. Select New Policy
  9. Select Pipeline execution policy
  10. Choose a name for the policy
  11. In the Actions section, select Override and select the project and policy-ci.yml file you created in step 5.
  12. Select Update via Merge Request.
  13. Merge the MR.
  14. Go back to the first project and start a pipeline.
  15. The pipeline should contain a spotbugs-sast job.
  16. Go to Settings -> CI/CD and select Variables
  17. Select add variable and use SAST_EXCLUDED_ANALYZERS as Key and spotbugs as Value.
  18. Select Add variable to save the variable.
  19. Run a new pipeline.
  20. This time, the pipeline should not contain a spotbugs-sast job.
  21. Go to the security policy project and edit the policy-ci.yml file to overwrite the project variable: 
    # policy-ci.yml
include:
- template: Jobs/SAST.gitlab-ci.yml


variables:
  SAST_EXCLUDED_ANALYZERS: "none"
  22. Go back to the first project and start a new pipeline. The pipeline still not contains a spotbugs-sast job, but it should because SAST_EXCLUDED_ANALYZERS should be overwritten by the policy.

Example Project

https://gitlab.com/gitlab-org/govern/security-policies/andys-test-group/example-issue-479315/test/

Possible fixes

Edited by Andy Schoenen