Allow scan execution policies to create pipelines
What does this MR do and why?
As someone accountable for an organization's security posture, I want to be confident that security scans are running on all of my repositories, even if those repositories do not have CI/CD configured.
Today, scan execution policies only ensure that the security scan configuration is present in pipelines that run. Something still needs to ensure that those pipelines are triggered. To ensure that those pipelines are triggered, new pipelines should be created if a scan execution policy applies to the repository. This should happen even if Auto DevOps is disabled and no .gitlab-ci.yml
is present.
We are adding a new config source to create pipelines with the security policy scans if the Auto DevOps is disabled and no .gitlab-ci.yml
is available.
Related issue #403723 (closed)
Screenshots or screen recordings
Pipeline with the new security policy template
.gitlab-ci.yml
jobs merged with the security scan defined in the policy.
Pipeline with the
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
- Enable the feature flag
rails c
Feature.enable(:scan_execution_policy_pipelines)
- Create a new project with a readme file.
- Go to
/-/settings/ci_cd
- Click Expand in the Auto DevOps section
- Disable the option
Default to Auto DevOps pipeline
- Create a new Scan execution policy with the content
type: scan_execution_policy
name: 'Test policy pipeline'
description: ''
enabled: true
rules:
- type: pipeline
branches:
- '*'
actions:
- scan: container_scanning
tags: []
- Click
Configure with a merge request
- Merge the new MR
- Update the readme file using the web ide and push the changes to the main branch
- Go to '-/pipelines' page
- Check if a pipeline was created
- Check if the pipeline contains the jobs defined in the new template
- Add a
.gitlab-ci.yml
file with the content
test1:
stage: test
script:
- echo "Do a test here"
- Wait for the pipeline execution
- Check if the pipeline contains the jobs defined by the Scan Execution policy
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Merge request reports
Activity
changed milestone to %16.1
assigned to @mc_rocha
1 Message This merge request adds or changes documentation files. A review from the Technical Writing team before you merge is recommended. Reviews can happen after you merge. Documentation review
The following files require a review from a technical writer:
-
doc/api/graphql/reference/index.md
(Link to current live version)
The review does not need to block merging this merge request. See the:
-
Metadata for the
*.md
files that you've changed. The first few lines of each*.md
file identify the stage and group most closely associated with your docs change. - The Technical Writer assigned for that stage and group.
- Documentation workflows for information on when to assign a merge request for review.
Reviewer roulette
Changes that require review have been detected!
Please refer to the table below for assigning reviewers and maintainers suggested by Danger in the specified category:
Category Reviewer Maintainer backend Hitesh Raghuvanshi (
@hraghuvanshi
) (UTC+5.5, 9.5 hours ahead of@mc_rocha
)Mehmet Emin Inac (
@minac
) (UTC+2, 6 hours ahead of@mc_rocha
)~"Verify" Reviewer review is optional for ~"Verify" Laura Montemayor (
@lauraX
) (UTC+2, 6 hours ahead of@mc_rocha
)To spread load more evenly across eligible reviewers, Danger has picked a candidate for each review slot, based on their timezone. Feel free to override these selections if you think someone else would be better-suited or use the GitLab Review Workload Dashboard to find other available reviewers.
To read more on how to use the reviewer roulette, please take a look at the Engineering workflow and code review guidelines. Please consider assigning a reviewer or maintainer who is a domain expert in the area of the merge request.
Once you've decided who will review this merge request, assign them as a reviewer! Danger does not automatically notify them for you.
If needed, you can retry the
danger-review
job that generated this comment.Generated by
Danger-
Setting label(s) Category:Security Policy Management based on groupsecurity policies.
added Category:Security Policy Management label
added 363 commits
-
878db643...b8ca2b58 - 357 commits from branch
master
- 99a2a51a - Scan execution create pipeline
- b8404fd8 - Scan execution create pipeline
- 987154ed - Scan execution create pipeline
- a277cb96 - Scan execution create pipeline
- a669c20c - Allow scan execution policies to create pipelines
- c54c37fc - Allow scan execution policies to create pipelines
Toggle commit list-
878db643...b8ca2b58 - 357 commits from branch
- A deleted user
added feature flag label
mentioned in commit gitlab-org-sandbox/gitlab-jh-validation@424e76ba
- Resolved by Allison Browne
Allure report
allure-report-publisher
generated test report!e2e-test-on-gdk:
test report for 63407e6eexpand test summary
+-------------------------------------------------------------+ | suites summary | +--------+--------+--------+---------+-------+-------+--------+ | | passed | failed | skipped | flaky | total | result | +--------+--------+--------+---------+-------+-------+--------+ | Govern | 2 | 0 | 0 | 0 | 2 | ✅ | +--------+--------+--------+---------+-------+-------+--------+ | Total | 2 | 0 | 0 | 0 | 2 | ✅ | +--------+--------+--------+---------+-------+-------+--------+
e2e-package-and-test:
test report for 63407e6eexpand test summary
+-------------------------------------------------------------+ | suites summary | +--------+--------+--------+---------+-------+-------+--------+ | | passed | failed | skipped | flaky | total | result | +--------+--------+--------+---------+-------+-------+--------+ | Govern | 96 | 6 | 8 | 8 | 110 | ❌ | +--------+--------+--------+---------+-------+-------+--------+ | Total | 96 | 6 | 8 | 8 | 110 | ❌ | +--------+--------+--------+---------+-------+-------+--------+
added 37 commits
-
c54c37fc...4dcea083 - 30 commits from branch
master
- 17041726 - Scan execution create pipeline
- 3b2b4628 - Scan execution create pipeline
- a434db5f - Scan execution create pipeline
- 2756b257 - Scan execution create pipeline
- e9d0f9a8 - Allow scan execution policies to create pipelines
- 496e4e6b - Allow scan execution policies to create pipelines
- 966a1f48 - Allow scan execution policies to create pipelines
Toggle commit list-
c54c37fc...4dcea083 - 30 commits from branch
mentioned in commit gitlab-org-sandbox/gitlab-jh-validation@34670740
added 1 commit
- 9b8ff9f8 - Allow scan execution policies to create pipelines
- A deleted user
added documentation label
mentioned in commit gitlab-org-sandbox/gitlab-jh-validation@293d18f4
mentioned in issue #403723 (closed)
added 1087 commits
-
9b8ff9f8...875a4a45 - 1078 commits from branch
master
- 777f5248 - Scan execution create pipeline
- 152cc909 - Scan execution create pipeline
- 3cfcec12 - Scan execution create pipeline
- fab69403 - Scan execution create pipeline
- 927f80f8 - Allow scan execution policies to create pipelines
- b9d7c270 - Allow scan execution policies to create pipelines
- 641322d9 - Allow scan execution policies to create pipelines
- 81d35c1b - Allow scan execution policies to create pipelines
- f0af5c04 - Scan execution create pipeline
Toggle commit list-
9b8ff9f8...875a4a45 - 1078 commits from branch
mentioned in commit gitlab-org-sandbox/gitlab-jh-validation@238f72b0
added 225 commits
-
c0e9021a...475fa4e8 - 214 commits from branch
master
- 9ad2f310 - 1 earlier commit
- 52acc0ba - Scan execution create pipeline
- 0bbf05d2 - Scan execution create pipeline
- 333356af - Scan execution create pipeline
- fd5f8bda - Allow scan execution policies to create pipelines
- 4349da87 - Allow scan execution policies to create pipelines
- 0eeee741 - Allow scan execution policies to create pipelines
- fe443b32 - Allow scan execution policies to create pipelines
- e98deb1d - Scan execution create pipeline
- 6a112688 - Scan execution create pipeline
- e395cb02 - Scan execution create pipeline
Toggle commit list-
c0e9021a...475fa4e8 - 214 commits from branch
mentioned in commit gitlab-org-sandbox/gitlab-jh-validation@9f4522f8
- Resolved by Sashi Kumar Kumaresan
- Resolved by Sashi Kumar Kumaresan
mentioned in issue #393960
- Resolved by Sashi Kumar Kumaresan
added 1550 commits
-
e395cb02...df7a4239 - 1536 commits from branch
master
- df7a4239...78d84a29 - 4 earlier commits
- 924b2291 - Allow scan execution policies to create pipelines
- 2b9de193 - Allow scan execution policies to create pipelines
- 92e69abf - Allow scan execution policies to create pipelines
- 4bc5856b - Allow scan execution policies to create pipelines
- 2d940779 - Scan execution create pipeline
- a7ada081 - Scan execution create pipeline
- 676e7b5d - Scan execution create pipeline
- a5c4c391 - Scan execution create pipeline
- 1ab8a1a0 - Scan execution create pipeline
- e6b52850 - Scan execution create pipeline
Toggle commit list-
e395cb02...df7a4239 - 1536 commits from branch
- A deleted user
added citemplates label
mentioned in commit gitlab-org-sandbox/gitlab-jh-validation@476562aa
added 270 commits
-
e6b52850...fda8caec - 255 commits from branch
master
- fda8caec...8b054825 - 5 earlier commits
- 81307cc7 - Allow scan execution policies to create pipelines
- 60823b85 - Allow scan execution policies to create pipelines
- fb50f893 - Allow scan execution policies to create pipelines
- ef2a503e - Scan execution create pipeline
- 3412c218 - Scan execution create pipeline
- 06107377 - Scan execution create pipeline
- 315ec970 - Scan execution create pipeline
- 37d86510 - Scan execution create pipeline
- 508b8104 - Scan execution create pipeline
- b1f47bdd - Scan execution create pipeline
Toggle commit list-
e6b52850...fda8caec - 255 commits from branch
mentioned in commit gitlab-org-sandbox/gitlab-jh-validation@3d8c1f86
mentioned in commit 3924f578
mentioned in commit gitlab-org-sandbox/gitlab-jh-validation@36a0dff5
mentioned in commit 244e1c7f
mentioned in commit f62618db
added 386 commits
-
3924f578...e4f2632a - 383 commits from branch
master
- a8661958 - Scan execution create pipeline
- 244e1c7f - Add Security Policy Default source
- f62618db - Add Security Policy Default source
Toggle commit list-
3924f578...e4f2632a - 383 commits from branch
mentioned in commit gitlab-org-sandbox/gitlab-jh-validation@235acf8f
requested review from @bwill
requested review from @sashi_kumar
- Resolved by Sashi Kumar Kumaresan
Hi @bwill
Could you please do the ~"Verify" review?
- Resolved by Allison Browne
Hi @sashi_kumar
Could you please do the initial backend review?
- Resolved by Sashi Kumar Kumaresan
- Resolved by Sashi Kumar Kumaresan
removed review request for @bwill