Override scan-skipping env vars for policy scans
requested to merge 377540-users-should-not-be-able-to-disable-secret-detection-container-security-etc-scans into master
What does this MR do and why?
Scan execution policies allow to specify security scans which should be carried out periodically or as part of pipelines. Currently, these scan jobs can be skipped by setting CI variables such as CONTAINER_SCANNING_DISABLED
etc. This is unintentional, and this MR strips these scan-skipping variables from CI rule evaluation if a project is affected by scan execution policies.
How to set up and validate locally
type: pipeline
policies
Validate - Create a new project
- Navigate to Settings > CI/CD
- Under the "Variables" section, add two environment variables:
-
CONTAINER_SCANNING_DISABLED
:true
-
SECRET_DETECTION_DISABLED
:true
- Commit the following
.gitlab-ci.yml
:
variables:
SECRET_DETECTION_DISABLED: "true"
CONTAINER_SCANNING_DISABLED: "true"
dummy_job:
stage: test
script: export
- Navigate to Security & Compliance > Policies
- Create a new policy with the following contents:
- name: Foobar
description: ''
enabled: true
rules:
- type: pipeline
branches:
- "*"
actions:
- scan: secret_detection
- scan: container_scanning
- Navigate to CI/CD > Pipelines and click "Run pipeline"
- In the pipeline form, add two input variables:
-
CONTAINER_SCANNING_DISABLED
:true
-
SECRET_DETECTION_DISABLED
:true
- Run the pipeline and verify that 3 jobs were created in the
test
stage:
- secret-detection-0
- container-scanning-1
- dummy_job
type: schedule
policies
Validate - Edit the existing scan execution policy:
scan_execution_policy:
- name: Foobar
description: ''
enabled: true
rules:
- type: schedule
branches:
- main
cadence: '0 0 * * *'
actions:
- scan: secret_detection
- scan: container_scanning
- Create a new file with the following contents, eg.
schedule.rb
:
schedule = Security::OrchestrationPolicyRuleSchedule.last
project = schedule.security_orchestration_policy_configuration.project
current_user = schedule.owner
Security::SecurityOrchestrationPolicies::RuleScheduleService.new(container: project, current_user: current_user).execute(schedule)
- Execute it:
bin/rails runner schedule.rb
- Navigate to CI/CD > Pipelines
- Verify that 2 jobs were created in the
test
stage:
- secret-detection-0
- container-scanning-1
Database queries
SELECT
projects.*
FROM
projects
WHERE
projects.id = 28945805
LIMIT 1;
SELECT
security_orchestration_policy_configurations.*
FROM
security_orchestration_policy_configurations
WHERE
security_orchestration_policy_configurations.project_id = 28945805
LIMIT 1;
SELECT
security_orchestration_policy_configurations.*
FROM
security_orchestration_policy_configurations
WHERE
security_orchestration_policy_configurations.id = 42
LIMIT 1;
SELECT
routes.*
FROM
routes
WHERE
routes.source_id = 28945805
AND routes.source_type = 'Project'
LIMIT 1;
-- app/models/concerns/has_repository.rb:84:in `default_branch_from_group_preferences'*/
SELECT
namespaces.id,
namespaces.name,
namespaces.path,
namespaces.owner_id,
namespaces.created_at,
namespaces.updated_at,
namespaces.TYPE,
namespaces.description,
namespaces.avatar,
namespaces.membership_lock,
namespaces.share_with_group_lock,
namespaces.visibility_level,
namespaces.request_access_enabled,
namespaces.ldap_sync_status,
namespaces.ldap_sync_error,
namespaces.ldap_sync_last_update_at,
namespaces.ldap_sync_last_successful_update_at,
namespaces.ldap_sync_last_sync_at,
namespaces.description_html,
namespaces.lfs_enabled,
namespaces.parent_id,
namespaces.shared_runners_minutes_limit,
namespaces.repository_size_limit,
namespaces.require_two_factor_authentication,
namespaces.two_factor_grace_period,
namespaces.cached_markdown_version,
namespaces.project_creation_level,
namespaces.runners_token,
namespaces.file_template_project_id,
namespaces.saml_discovery_token,
namespaces.runners_token_encrypted,
namespaces.custom_project_templates_group_id,
namespaces.auto_devops_enabled,
namespaces.extra_shared_runners_minutes_limit,
namespaces.last_ci_minutes_notification_at,
namespaces.last_ci_minutes_usage_notification_level,
namespaces.subgroup_creation_level,
namespaces.emails_disabled,
namespaces.max_pages_size,
namespaces.max_artifacts_size,
namespaces.mentions_disabled,
namespaces.default_branch_protection,
namespaces.unlock_membership_to_ldap,
namespaces.max_personal_access_token_lifetime,
namespaces.push_rule_id,
namespaces.shared_runners_enabled,
namespaces.allow_descendants_override_disabled_shared_runners,
namespaces.traversal_ids
FROM
namespaces
WHERE
namespaces.TYPE = 'Group'
AND namespaces.id = 11805471
LIMIT 1;
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #377540 (closed)
Edited by Dominic Bauer