Skip to content

Execute scheduled security policy scans in shared pipelines

Dominic Bauer requested to merge 339427-execute-scheduled-security-policy-scans-in-a-single-pipeline into master

What does this MR do and why?

Scan execution policies specify a number of actions and a number of branches.

Currently, when a scheduled scan execution policy is executed, one pipeline per action is created, per branch. This is wasteful, because multiple scan jobs can share the same pipeline. The only exception to this are DAST scans, which must be executed in a separate pipeline.

This MR changes the current behaviour so that multiple actions share one pipeline per branch, with the exception of DAST, which gets its own pipeline per branch.

How to set up and validate locally

Validate type: schedule policies

  1. Create a new project
  2. Push a new branch to the repository, here I use develop
  3. Navigate to Security & Compliance > Policies
  4. Create a new policy from the following contents:
scan_execution_policy:
name: foobar
description: foobar
enabled: true
actions:
- scan: dast
  scanner_profile: Scanner Profile A
  site_profile: Site Profile B
- scan: secret_detection
- scan: sast
- scan: container_scanning
rules:
- type: schedule
  cadence: "*/30 * * * *"
  branches:
  - main
  - develop
  1. Merge the resulting policy MR
  2. Create a new file with the following contents, eg. schedule.rb:
schedule = Security::OrchestrationPolicyRuleSchedule.last
project = schedule.security_orchestration_policy_configuration.project
current_user = schedule.owner
Security::SecurityOrchestrationPolicies::RuleScheduleService.new(container: project, current_user: current_user).execute(schedule)
  1. Execute it: bin/rails runner schedule.rb
  2. Navigate to CI/CD > Pipelines
  3. Verify that a total of 4 pipelines was created, 2 pipelines per branch:
  • Scan pipeline
    • secret-detection-0
    • sast-1
    • container-scanning-2
  • On-demand pipeline
    • dast-on-demand-0

Validate type: pipeline policies

  1. In the previously created project, navigate to Security & Compliance > Policies
  2. Update the existing policy with the following contents:
scan_execution_policy:
name: foobar
description: foobar
enabled: true
actions:
- scan: dast
  scanner_profile: Scanner Profile A
  site_profile: Site Profile B
- scan: secret_detection
- scan: sast
- scan: container_scanning
rules:
- type: pipeline
  branches:
  - main
  - develop
  1. Commit the following .gitlab-ci.yml to the main branch:
dummy_job:
  stage: test
  script: ":" # no-op
  1. Navigate to CI/CD > Pipelines and verify the expected jobs were injected into a single pipeline:

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #339427 (closed)

Edited by Dominic Bauer

Merge request reports