Skip to content

Add security_policy_bot user for scan execution policies

Sashi Kumar Kumaresan requested to merge sk/367449-add-security-policy-bot-user into master

What does this MR do and why?

Addresses #367449 (closed)

Currently, scan execution policies use Ci::CreatePipelineService in order to create new pipelines. The service performs these checks, which need to pass for a pipeline to be created:

  1. The project is not currently being deleted
  2. The project has CI/CD enabled in the settings
  3. The current user is allowed to create pipelines on the project (developer or higher)
  4. The current user is allowed to write to the branch that the pipeline is running for (protected branch settings are taken into account for this)

The last person to make a commit on the security policy is used as the current user (1, 2).

There's a few problems how these checks are currently performed.

  1. Maintainers can disable CI / CD in the settings in order to prevent scan execution policies from being run
  2. The person who last edited the security policy may not have sufficient permissions in all the places which scans should run (ex: Protected branch pipeline on a project which they don't maintain). Security personnel shouldn't need to have excessive permissions added to their account in order for the scan execution policies to work.
  3. When a user leaves the organization, the policies will stop working unless someone else makes an edit to the security policies.

This MR adds a new bot user of type security_policy_bot and uses that user to create pipeline if the pipeline source is security_orchestration_policy.

Screenshots or screen recordings

Pipeline created by bot

Screenshot_2022-11-11_at_15.55.55

Bot user page

Screenshot_2022-11-11_at_15.56.05

How to set up and validate locally

  • Create a scheduled scan execution policy (Security & Compliance -> Policies)
---
scan_execution_policy:
- name: Scheduled scan
  description: ''
  enabled: true
  rules:
  - type: schedule
    branches:
    - master
    cadence: 0 15 * * *
  actions:
  - scan: container_scanning
  • Wait till the scheduler triggers the pipeline OR manually execute from rails console:
schedule = Security::OrchestrationPolicyRuleSchedule.last

Security::SecurityOrchestrationPolicies::RuleScheduleService.new(container: schedule.security_orchestration_policy_configuration.project, current_user: User.security_policy_bot).execute(schedule)
  • Verify the Triggerer of the newly created pipeline

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Sashi Kumar Kumaresan

Merge request reports