Implement Pipeline related audit events for security policies
Why are we doing this work
This task involves implementing audit events for pipeline execution and scan execution policy failures to provide visibility into policy enforcement issues.
Links / references
- Related to Epic: Security Policy Audit Events
- Spike issue: #528565 (closed)
- POC MR: !188432 (closed)
Use Cases
-
Generate an audit event when pipeline execution or scan execution policy pipelines or jobs do not run when they are expected to run.
-
Generate an audit event when enforced stages cannot be applied due to too strict after conditions and the pipeline fails.
-
Generate an audit event if pipeline was skipped due to the
skip_cidirective, ref: https://gitlab.com/gitlab-org/gitlab/-/issues/543915#note_2516362710 -
Generate an audit event when pipeline execution or scan execution policy pipelines or jobs fail.
Implementation Details
- State machine in pipeline model
- Pipeline execution policy error
- Override stages conflict
- Duplicate job name error
Note: Check comment &15869 (comment 2464135280) for more details
Technical Considerations:
- It might not be as straightforward to track all possible scenarios
- The audit events should be streaming only, considering these use cases will generate large volume of audit events
Success Criteria
- Audit events are generated for all pipeline-related policy failures
- Events provide sufficient context about the failure reason
Verification Steps
- Create a project with pipeline execution and scan execution policies
- Create scenarios that trigger policy failures
- Verify audit events are generated with appropriate details
- Test scenarios where policies don't run when expected
- Verify audit events contain sufficient information for troubleshooting
Edited by Alan (Maciej) Paruszewski