Skip to content

Override scan-skipping env vars for policy scans

Dominic Bauer requested to merge 377540-users-should-not-be-able-to-disable-secret-detection-container-security-etc-scans into master

What does this MR do and why?

Scan execution policies allow to specify security scans which should be carried out periodically or as part of pipelines. Currently, these scan jobs can be skipped by setting CI variables such as CONTAINER_SCANNING_DISABLED etc. This is unintentional, and this MR strips these scan-skipping variables from CI rule evaluation if a project is affected by scan execution policies.

How to set up and validate locally

Validate type: pipeline policies

  1. Create a new project
  2. Navigate to Settings > CI/CD
  3. Under the "Variables" section, add two environment variables:
  • CONTAINER_SCANNING_DISABLED: true
  • SECRET_DETECTION_DISABLED: true
  1. Commit the following .gitlab-ci.yml:
variables:
  SECRET_DETECTION_DISABLED: "true"
  CONTAINER_SCANNING_DISABLED: "true"

dummy_job:
  stage: test
  script: export
  1. Navigate to Security & Compliance > Policies
  2. Create a new policy with the following contents:
- name: Foobar
  description: ''
  enabled: true
  rules:
  - type: pipeline
    branches:
    - "*"
  actions:
  - scan: secret_detection
  - scan: container_scanning
  1. Navigate to CI/CD > Pipelines and click "Run pipeline"
  2. In the pipeline form, add two input variables:
  • CONTAINER_SCANNING_DISABLED: true
  • SECRET_DETECTION_DISABLED: true
  1. Run the pipeline and verify that 3 jobs were created in the test stage:
  • secret-detection-0
  • container-scanning-1
  • dummy_job

Validate type: schedule policies

  1. Edit the existing scan execution policy:
scan_execution_policy:
- name: Foobar
  description: ''
  enabled: true
  rules:
  - type: schedule
    branches:
    - main
    cadence: '0 0 * * *'
  actions:
  - scan: secret_detection
  - scan: container_scanning
  1. Create a new file with the following contents, eg. schedule.rb:
schedule = Security::OrchestrationPolicyRuleSchedule.last
project = schedule.security_orchestration_policy_configuration.project
current_user = schedule.owner
Security::SecurityOrchestrationPolicies::RuleScheduleService.new(container: project, current_user: current_user).execute(schedule)
  1. Execute it: bin/rails runner schedule.rb
  2. Navigate to CI/CD > Pipelines
  3. Verify that 2 jobs were created in the test stage:
  • secret-detection-0
  • container-scanning-1

Database queries

SELECT
	projects.*
FROM
	projects
WHERE
	projects.id = 28945805
LIMIT 1;

Query plan

SELECT
	security_orchestration_policy_configurations.*
FROM
	security_orchestration_policy_configurations
WHERE
	security_orchestration_policy_configurations.project_id = 28945805
LIMIT 1;

Query plan

SELECT
	security_orchestration_policy_configurations.*
FROM
	security_orchestration_policy_configurations
WHERE
	security_orchestration_policy_configurations.id = 42
LIMIT 1;

Query plan

SELECT
	routes.*
FROM
	routes
WHERE
	routes.source_id = 28945805
	AND routes.source_type = 'Project'
LIMIT 1;

Query plan

-- app/models/concerns/has_repository.rb:84:in `default_branch_from_group_preferences'*/
SELECT
	namespaces.id,
	namespaces.name,
	namespaces.path,
	namespaces.owner_id,
	namespaces.created_at,
	namespaces.updated_at,
	namespaces.TYPE,
	namespaces.description,
	namespaces.avatar,
	namespaces.membership_lock,
	namespaces.share_with_group_lock,
	namespaces.visibility_level,
	namespaces.request_access_enabled,
	namespaces.ldap_sync_status,
	namespaces.ldap_sync_error,
	namespaces.ldap_sync_last_update_at,
	namespaces.ldap_sync_last_successful_update_at,
	namespaces.ldap_sync_last_sync_at,
	namespaces.description_html,
	namespaces.lfs_enabled,
	namespaces.parent_id,
	namespaces.shared_runners_minutes_limit,
	namespaces.repository_size_limit,
	namespaces.require_two_factor_authentication,
	namespaces.two_factor_grace_period,
	namespaces.cached_markdown_version,
	namespaces.project_creation_level,
	namespaces.runners_token,
	namespaces.file_template_project_id,
	namespaces.saml_discovery_token,
	namespaces.runners_token_encrypted,
	namespaces.custom_project_templates_group_id,
	namespaces.auto_devops_enabled,
	namespaces.extra_shared_runners_minutes_limit,
	namespaces.last_ci_minutes_notification_at,
	namespaces.last_ci_minutes_usage_notification_level,
	namespaces.subgroup_creation_level,
	namespaces.emails_disabled,
	namespaces.max_pages_size,
	namespaces.max_artifacts_size,
	namespaces.mentions_disabled,
	namespaces.default_branch_protection,
	namespaces.unlock_membership_to_ldap,
	namespaces.max_personal_access_token_lifetime,
	namespaces.push_rule_id,
	namespaces.shared_runners_enabled,
	namespaces.allow_descendants_override_disabled_shared_runners,
	namespaces.traversal_ids
FROM
	namespaces
WHERE
	namespaces.TYPE = 'Group'
	AND namespaces.id = 11805471
LIMIT 1;

Query plan

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #377540 (closed)

Edited by Dominic Bauer

Merge request reports