Allow scan execution policies to create pipelines

What does this MR do and why?

As someone accountable for an organization's security posture, I want to be confident that security scans are running on all of my repositories, even if those repositories do not have CI/CD configured.

Today, scan execution policies only ensure that the security scan configuration is present in pipelines that run. Something still needs to ensure that those pipelines are triggered. To ensure that those pipelines are triggered, new pipelines should be created if a scan execution policy applies to the repository. This should happen even if Auto DevOps is disabled and no .gitlab-ci.yml is present.

We are adding a new config source to create pipelines with the security policy scans if the Auto DevOps is disabled and no .gitlab-ci.yml is available.

Related issue #403723 (closed)

Screenshots or screen recordings

Pipeline with the new security policy template

Pipeline with the .gitlab-ci.yml jobs merged with the security scan defined in the policy.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

1. Enable the feature flag

rails c

Feature.enable(:scan_execution_policy_pipelines)

1. Create a new project with a readme file.
2. Go to /-/settings/ci_cd
3. Click Expand in the Auto DevOps section
4. Disable the option Default to Auto DevOps pipeline
5. Create a new Scan execution policy with the content

type: scan_execution_policy
name: 'Test policy pipeline'
description: ''
enabled: true
rules:
  - type: pipeline
    branches:
      - '*'
actions:
  - scan: container_scanning
    tags: []

6. Click Configure with a merge request
7. Merge the new MR
8. Update the readme file using the web ide and push the changes to the main branch
9. Go to '-/pipelines' page
10. Check if a pipeline was created
11. Check if the pipeline contains the jobs defined in the new template
12. Add a .gitlab-ci.yml file with the content

test1:
  stage: test
  script:
    - echo "Do a test here"

13. Wait for the pipeline execution
14. Check if the pipeline contains the jobs defined by the Scan Execution policy

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• I have evaluated the MR acceptance checklist for this MR.

ee/lib/ee/gitlab/ci/project_config.rb

@@ -10,6 +10,7 @@ module ProjectConfig
 
         override :sources
         def sources
+          # SecurityPolicyDefault should come last. It is only necessary if no other source is available.
           [::Gitlab::Ci::ProjectConfig::Compliance].concat(super)
                                                    .concat([::Gitlab::Ci::ProjectConfig::SecurityPolicyDefault])
         end