Fix scan execution policy CI variables for pipelines
What does this MR do and why?
This MR allows SECRET_DETECTION_HISTORIC_SCAN variable to be set for secret detection scans in scan execution policies for regular pipelines.
This fix the bug when a user added the CI variable SECRET_DETECTION_HISTORIC_SCAN: 'true', but the secret detection job in the pipeline did not use the variable value.
Related to #420332 (closed)
Screenshots or screen recordings
| Before | After |
|---|---|
 |
 |
How to set up and validate locally
- Create a new project
- Navigate to Secure => Policies => New policy => Scan execution
- Create a policy like:
type: scan_execution_policy
name: Secret Detection Execution
description: ''
enabled: true
rules:
- type: pipeline
branch_type: all
actions:
- scan: secret_detection
variables:
SECRET_DETECTION_HISTORIC_SCAN: 'true'
SECURE_LOG_LEVEL: debug
SECRET_DETECTION_RULESET_GIT_REFERENCE: >-
$USER_EXT_RULESET_SEC_POL:$EXT_RULESET_SEC_POL@gitlab.com/roche/playground/gitlab-duo/group-security-policies
scan_result_policy:
- name: Found Secret Block
description: ''
enabled: true
rules:
- type: scan_finding
scanners:
- secret_detection
vulnerabilities_allowed: 0
severity_levels:
- critical
- high
vulnerability_states:
- new_needs_triage
- new_dismissed
branch_type: protected
actions:
- type: require_approval
approvals_required: 1
user_approvers_ids:
- 1- Save the policy, merge it.
- Add a
.gitlab-ci.ymllike:
test-job:
script:
- echo "Test Job..."- Wait for the pipeline execution
- Inspect the secret detection job logs and look for the
SECRET_DETECTION_HISTORIC_SCANvalue. It should betrueas defined in the policy.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Marcos Rocha