Add `branch_type` support to scan execution policies
What does this MR do and why?
We are adding branch_type support to security policies (&9468 (closed)).
This MR adds branch_type support to Scan execution policies.
Currently, security policies specify their targeted branches with the branches key. The value can be wildcarded, e.g. feature-* to target mutliple branches. We are now adding branch_type which accepts one of three values: all, protected and default.
For details on branch_type, see Proposal.
How to set up and validate locally
-
Create a new group
-
Create a new contained project
-
Enable the feature flag for the project:
Feature.enable(:security_policies_branch_type, Project.last) -
Commit the following
.gitlab-ci.yml:dummy_job: script: - exit 0 -
Commit an empty
Gemfile.lockfor Dependency Scanning jobs to execute. -
Navigate to
Repository > Branchesand create the following branches:developfeature-1feature-2legacy
-
Navigate to
Settings > Repository, expand theProtected branchessection and create the following protected branches:developfeature-*
Validating type: pipeline rules
-
On the group level, navigate to
Security and Compliance > Policiesand create the following scan execution policy:type: scan_execution_policy name: Pipeline / Default Branch / Container Scan description: '' enabled: true rules: - type: pipeline branch_type: default actions: - scan: container_scanning variables: CS_IMAGE: "nginx:1" -
On the project level, navigate to
Security and Compliance > Policiesand create the following scan execution policies:type: scan_execution_policy name: Pipeline / Protected Branches / Secret Detection description: '' enabled: true rules: - type: pipeline branch_type: protected actions: - scan: secret_detectiontype: scan_execution_policy name: Pipeline / All Branches / Dependency Scanning description: '' enabled: true rules: - type: pipeline branch_type: all actions: - scan: dependency_scanning -
Navigate to
CI/CD > Pipelines, run pipelines for the following branches and verify their jobs:Pipeline branch Jobs maindummy_job,container-scanning-0,secret-detection-1,gemnasium-dependency-scanning-2developdummy_job,secret-detection-0,gemnasium-dependency-scanning-1feature-1dummy_job,secret-detection-0,gemnasium-dependency-scanning-1legacydummy_job,gemnasium-dependency-scanning-0
Validating type: schedule rules
-
On the group or project level, navigate to
Security and Compliance > Policiesand create the following scan execution policies:type: scan_execution_policy name: Scheduled / Protected Branches / DAST description: '' enabled: true rules: - type: schedule cadence: "0 0 * * *" branch_type: protected actions: - scan: dast site_profile: nonexistent scanner_profile: nonexistenttype: scan_execution_policy name: Scheduled / Default Branch / Container Scanning description: '' enabled: true rules: - type: schedule cadence: "0 0 * * *" branch_type: default actions: - scan: container_scanning -
Clear the previously created pipelines from with
Project.find(ID).all_pipelines.destroy_all. -
Create
run.rbwith the following contents:PROJECT = Project.find(-1) # replace configs = PROJECT.all_security_orchestration_policy_configurations schedules = Security::OrchestrationPolicyRuleSchedule.where(security_orchestration_policy_configuration_id: configs) schedules.each do |schedule| Security::SecurityOrchestrationPolicies::RuleScheduleService .new(container: schedule.security_orchestration_policy_configuration.project, current_user: User.first) .execute(schedule) end -
Execute it with
bin/rails runner run.rb -
Navigate to
CI/CD > Pipelinesand confirm the following (job, branches) pipeline combinations were created:Job Branches container-scanning-0maindast-on-demand-0main,develop,feature-1,feature-2
Other things to try
Validate policies with wildcard branches
-
Add the following scan execution policy:
type: scan_execution_policy name: Pipeline / Wildcard Branch / Container Scanning description: '' enabled: true rules: - type: pipeline branches: ["leg*"] actions: - scan: container_scanning variables: CS_IMAGE: "nginx:1" -
Navigate to
CI/CD > Pipelines, run a pipeline for thelegacybranch and verify its jobs:dummy_jobcontainer-scanning-1gemnasium-dependency-scanning-0
Validate scan result policies
-
Create the following scan execution policy:
type: scan_result_policy name: Scan Result Policy description: '' enabled: true rules: - type: scan_finding branches: [] scanners: - container_scanning vulnerabilities_allowed: 0 severity_levels: [] vulnerability_states: - new_needs_triage actions: - type: require_approval approvals_required: 1 user_approvers_ids: - 1 -
Add Container Scanning to
.gitlab-ci.ymlon thedevelopbranch:dummy_job: script: - exit 0 include: - template: Security/Container-Scanning.gitlab-ci.yml -
Open a new Merge Request targeting
developand confirm theScan Result Policyapproval rule applies.
Disabling the feature
Validating type: pipeline rules
-
Ensure the
Pipeline / Wildcard Branch / Container Scanningpolicy from above exists. -
Disable the feature:
Feature.disable(:security_policies_branch_type, Project.find(ID) -
Navigate to
CI/CD > Pipelines, run a pipeline for thelegacybranch and verify its jobs:dummy_jobcontainer-scanning-0
Validating type: schedule rules
-
Ensure you don't have more than 4 scan execution policies, as 5 is the limit per configuration.
-
Create the following scan execution policy:
name: Scheduled / Wildcard Branch / Container Scanning description: '' enabled: true actions: - scan: container_scanning tags: [] rules: - type: schedule cadence: 0 0 * * * branches: - leg* -
Execute
bin/rails runner run.rb -
Verify the
container-scanning-0is the only job in the pipeline.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #404774 (closed)