Allow scan execution policies to create pipelines
-
Review changes -
-
Download -
Patches
-
Plain diff
What does this MR do and why?
As someone accountable for an organization's security posture, I want to be confident that security scans are running on all of my repositories, even if those repositories do not have CI/CD configured.
Today, scan execution policies only ensure that the security scan configuration is present in pipelines that run. Something still needs to ensure that those pipelines are triggered. To ensure that those pipelines are triggered, new pipelines should be created if a scan execution policy applies to the repository. This should happen even if Auto DevOps is disabled and no .gitlab-ci.yml is present.
We are adding a new config source to create pipelines with the security policy scans if the Auto DevOps is disabled and no .gitlab-ci.yml is available.
Related issue #403723 (closed)
Screenshots or screen recordings
Pipeline with the new security policy template
Pipeline with the .gitlab-ci.yml jobs merged with the security scan defined in the policy.
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
- Enable the feature flag
rails cFeature.enable(:scan_execution_policy_pipelines)- Create a new project with a readme file.
- Go to
/-/settings/ci_cd - Click Expand in the Auto DevOps section
- Disable the option
Default to Auto DevOps pipeline - Create a new Scan execution policy with the content
type: scan_execution_policy
name: 'Test policy pipeline'
description: ''
enabled: true
rules:
- type: pipeline
branches:
- '*'
actions:
- scan: container_scanning
tags: []- Click
Configure with a merge request - Merge the new MR
- Update the readme file using the web ide and push the changes to the main branch
- Go to '-/pipelines' page
- Check if a pipeline was created
- Check if the pipeline contains the jobs defined in the new template
- Add a
.gitlab-ci.ymlfile with the content
test1:
stage: test
script:
- echo "Do a test here"- Wait for the pipeline execution
- Check if the pipeline contains the jobs defined by the Scan Execution policy
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Merge request reports
- version 27f0eb3e0d
- version 263d2fd3b9
- version 255fb0f8e3
- version 24f9a53024
- version 23c169f6d9
- version 22917e52e8
- version 219503a2a8
- version 20bfb30372
- version 1944ab3ad7
- version 1847806105
- version 17ccea4611
- version 1671056068
- version 15c0afe461
- version 14164d6bfd
- version 13bf471fbd
- version 12f62618db
- version 113924f578
- version 10b1f47bdd
- version 9e6b52850
- version 8e6b52850
- version 7e395cb02
- version 6c0e9021a
- version 5f0af5c04
- version 49b8ff9f8
- version 3966a1f48
- version 2c54c37fc
- version 1878db643
- master (base)
- latest version63407e6e3 commits,
- version 27f0eb3e0d2 commits,
- version 263d2fd3b91 commit,
- version 255fb0f8e32 commits,
- version 24f9a530242 commits,
- version 23c169f6d96 commits,
- version 22917e52e85 commits,
- version 219503a2a84 commits,
- version 20bfb303723 commits,
- version 1944ab3ad72 commits,
- version 18478061054 commits,
- version 17ccea46113 commits,
- version 16710560682 commits,
- version 15c0afe4611 commit,
- version 14164d6bfd5 commits,
- version 13bf471fbd4 commits,
- version 12f62618db3 commits,
- version 113924f5782 commits,
- version 10b1f47bdd15 commits,
- version 9e6b5285014 commits,
- version 8e6b5285014 commits,
- version 7e395cb0211 commits,
- version 6c0e9021a10 commits,
- version 5f0af5c049 commits,
- version 49b8ff9f88 commits,
- version 3966a1f487 commits,
- version 2c54c37fc6 commits,
- version 1878db6435 commits,
- Side-by-side
- Inline