Skip to content
Snippets Groups Projects

Allow scan execution policies to create pipelines

Merged Marcos Rocha requested to merge mc_rocha-test-scan-create-pipeline into master

What does this MR do and why?

As someone accountable for an organization's security posture, I want to be confident that security scans are running on all of my repositories, even if those repositories do not have CI/CD configured.

Today, scan execution policies only ensure that the security scan configuration is present in pipelines that run. Something still needs to ensure that those pipelines are triggered. To ensure that those pipelines are triggered, new pipelines should be created if a scan execution policy applies to the repository. This should happen even if Auto DevOps is disabled and no .gitlab-ci.yml is present.

We are adding a new config source to create pipelines with the security policy scans if the Auto DevOps is disabled and no .gitlab-ci.yml is available.

Related issue #403723 (closed)

Screenshots or screen recordings

Pipeline with the new security policy template

Screenshot_2023-06-12_at_5.09.15_PM

Pipeline with the .gitlab-ci.yml jobs merged with the security scan defined in the policy.

Screenshot_2023-06-12_at_5.09.51_PM

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Enable the feature flag
rails c
Feature.enable(:scan_execution_policy_pipelines)
  1. Create a new project with a readme file.
  2. Go to /-/settings/ci_cd
  3. Click Expand in the Auto DevOps section
  4. Disable the option Default to Auto DevOps pipeline
  5. Create a new Scan execution policy with the content
type: scan_execution_policy
name: 'Test policy pipeline'
description: ''
enabled: true
rules:
  - type: pipeline
    branches:
      - '*'
actions:
  - scan: container_scanning
    tags: []
  1. Click Configure with a merge request
  2. Merge the new MR
  3. Update the readme file using the web ide and push the changes to the main branch
  4. Go to '-/pipelines' page
  5. Check if a pipeline was created
  6. Check if the pipeline contains the jobs defined in the new template
  7. Add a .gitlab-ci.yml file with the content
test1:
  stage: test
  script:
    - echo "Do a test here"
  1. Wait for the pipeline execution
  2. Check if the pipeline contains the jobs defined by the Scan Execution policy

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Allison Browne

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
  • Marcos Rocha changed the description

    changed the description

  • Adam Moss mentioned in issue #393960

    mentioned in issue #393960

  • Marcos Rocha added 1550 commits

    added 1550 commits

    • e395cb02...df7a4239 - 1536 commits from branch master
    • df7a4239...78d84a29 - 4 earlier commits
    • 924b2291 - Allow scan execution policies to create pipelines
    • 2b9de193 - Allow scan execution policies to create pipelines
    • 92e69abf - Allow scan execution policies to create pipelines
    • 4bc5856b - Allow scan execution policies to create pipelines
    • 2d940779 - Scan execution create pipeline
    • a7ada081 - Scan execution create pipeline
    • 676e7b5d - Scan execution create pipeline
    • a5c4c391 - Scan execution create pipeline
    • 1ab8a1a0 - Scan execution create pipeline
    • e6b52850 - Scan execution create pipeline

    Compare with previous version

  • A deleted user added citemplates label

    added citemplates label

  • Marcos Rocha added 270 commits

    added 270 commits

    Compare with previous version

  • Marcos Rocha added 1 commit

    added 1 commit

    • 3924f578 - Add Security Policy Default source

    Compare with previous version

  • Marcos Rocha mentioned in commit 3924f578

    mentioned in commit 3924f578

  • Marcos Rocha changed the description

    changed the description

  • Marcos Rocha mentioned in commit 244e1c7f

    mentioned in commit 244e1c7f

  • Marcos Rocha mentioned in commit f62618db

    mentioned in commit f62618db

  • Marcos Rocha added 386 commits

    added 386 commits

    Compare with previous version

  • Marcos Rocha changed the description

    changed the description

  • Marcos Rocha requested review from @bwill

    requested review from @bwill

  • Marcos Rocha requested review from @sashi_kumar

    requested review from @sashi_kumar

  • Brian Williams removed review request for @bwill

    removed review request for @bwill

  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Please register or sign in to reply
    Loading