Auto accept terms for security_policy_bot users
requested to merge 414278-fix-security-policy-bot-not-allowed-to-run-pipelines-on-gitlab-com into master
What does this MR do and why?
This MR fixes an issue where scheduled pipelines from scan execution policies are not created when terms are enforced on the instance.
How to set up and validate locally
- Enforce the terms of service and privacy policy under
admin/application_settings/general
- Enable the
scan_execution_bot_users
feature flag. - Prepare the test project. Follow the steps below or clone https://gitlab.com/gitlab-org/govern/security-policies/andys-test-group/scan-execution-policy-test
- Create a new project with a working
.gitlab-ci.yml
file. For example, use the bash template. - Add an empty named
package.json
to the project. This is required for the SAST scan to run. - On the left sidebar select Repository and Branches
- Select New branch
- Enter
test
as name - Select Create branch
- Create a new project with a working
- Prepare the security policy
- On the left sidebar, select Security and Compliance* and Policies.
- Select New policy.
- Select Scan execution policy
- Switch to
.yaml mode
- Replace the content with the example policy yaml below
- Select Configure with a merge request
- Select Merge.
- Go back to your initial project
- There should now be a
bot
member named GitLab Security Policy Bot.
- Wait for the next full hour until the scheduled pipeline is triggered, or trigger the job manually:
Security::OrchestrationPolicyRuleSchedule.last.update_columns next_run_at: 1.day.ago Security::OrchestrationPolicyRuleScheduleWorker.new.perform
- View the pipelines page of your project
- There should be a new pipeline triggered by the GitLab Security Policy Bot
-
The pipeline should passFor public projects, the pipeline should pass. For private project, a follow-up MR fixes access forsecurity_policy_bot
Example policy yaml
type: scan_execution_policy
name: test
description: ''
enabled: true
rules:
- type: schedule
branches:
- test
cadence: 0 * * * *
actions:
- scan: sast
tags: []
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #414278 (closed)
Edited by Martin Čavoj