Skip to content

Allow security_policy_bot to run pipelines on protected branches

Martin Čavoj requested to merge 414278-fix-security-policy-bot-pipelines-permissions-protected-branches into master

What does this MR do and why?

This change allows security_policy_bot to run pipelines on all branches, regardless of whether they are protected or not. This is necessary for scan execution policies to be able to run scheduled pipelines.

Currently, the security policy bot can only run scheduled pipelines on non-protected branches. Running it on main leads to the following errors: logs

How to set up and validate locally

  1. In rails console enable the experiment fully 
    Feature.enable(:scan_execution_bot_users)
  2. Prepare the test project. Follow the steps below:
    1. Create a new private project with a working .gitlab-ci.yml file. For example, use the bash template.
    2. Add an empty named package.json to the project. This is required for the SAST scan to run.
  3. Prepare the security policy
    1. On the left sidebar, select Security and Compliance* and Policies.
    2. Select New policy.
    3. Select Scan execution policy
    4. Switch to .yaml mode
    5. Replace the content with the example policy yaml below
    6. Select Configure with a merge request
    7. Select Merge.
    8. Go back to your initial project
    9. There should now be a bot member named GitLab Security Policy Bot.
  4. Wait for the next full hour until the scheduled pipeline is triggered, or trigger the job manually: 
    Security::OrchestrationPolicyRuleSchedule.last.update_columns next_run_at: 1.day.ago
Security::OrchestrationPolicyRuleScheduleWorker.new.perform
  5. View the pipelines page of your project
  6. There should be a new pipeline triggered by the GitLab Security Policy Bot
  7. The pipeline should pass

Example policy yaml

type: scan_execution_policy
name: test
description: ''
enabled: true
rules:
  - type: schedule
    branches:
      - main
    cadence: 0 * * * *
actions:
  - scan: sast
    tags: []

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #414278 (closed)

Edited by Martin Čavoj

Merge request reports