Skip to content

Allow scan execution policies to create pipelines

Marcos Rocha requested to merge mc_rocha-test-scan-create-pipeline into master

What does this MR do and why?

As someone accountable for an organization's security posture, I want to be confident that security scans are running on all of my repositories, even if those repositories do not have CI/CD configured.

Today, scan execution policies only ensure that the security scan configuration is present in pipelines that run. Something still needs to ensure that those pipelines are triggered. To ensure that those pipelines are triggered, new pipelines should be created if a scan execution policy applies to the repository. This should happen even if Auto DevOps is disabled and no .gitlab-ci.yml is present.

We are adding a new config source to create pipelines with the security policy scans if the Auto DevOps is disabled and no .gitlab-ci.yml is available.

Related issue #403723 (closed)

Screenshots or screen recordings

Pipeline with the new security policy template

Screenshot_2023-06-12_at_5.09.15_PM

Pipeline with the .gitlab-ci.yml jobs merged with the security scan defined in the policy.

Screenshot_2023-06-12_at_5.09.51_PM

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Enable the feature flag
rails c
Feature.enable(:scan_execution_policy_pipelines)
  1. Create a new project with a readme file.
  2. Go to /-/settings/ci_cd
  3. Click Expand in the Auto DevOps section
  4. Disable the option Default to Auto DevOps pipeline
  5. Create a new Scan execution policy with the content
type: scan_execution_policy
name: 'Test policy pipeline'
description: ''
enabled: true
rules:
  - type: pipeline
    branches:
      - '*'
actions:
  - scan: container_scanning
    tags: []
  1. Click Configure with a merge request
  2. Merge the new MR
  3. Update the readme file using the web ide and push the changes to the main branch
  4. Go to '-/pipelines' page
  5. Check if a pipeline was created
  6. Check if the pipeline contains the jobs defined in the new template
  7. Add a .gitlab-ci.yml file with the content
test1:
  stage: test
  script:
    - echo "Do a test here"
  1. Wait for the pipeline execution
  2. Check if the pipeline contains the jobs defined by the Scan Execution policy

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Allison Browne

Merge request reports