Skip to content

Set policies CI variables with the highest precedence

Martin Čavoj requested to merge 424028-enforce-sep-variables-with-the-highest-precedence into master

What does this MR do and why?

This MR changes CI variables precedence for variables defined by security policies and makes them enforced with the highest precedence for scan execution policy jobs, so that they cannot be overwritten. Previously, the policies variables were set as part of each job, so variables on the instance, group, project level or manual pipeline run variables could overwrite them.

This change is done behind feature flag.

Screenshots or screen recordings

Job Variable value
build-job CleanShot_2023-10-27_at_17.39.03_2x
dast CleanShot_2023-10-27_at_17.40.00_2x
sast_iac CleanShot_2023-10-27_at_17.41.57_2x
dependency-scanning CleanShot_2023-10-27_at_17.42.52_2x
container-scanning CleanShot_2023-10-27_at_17.43.22_2x
secrets-detection CleanShot_2023-10-27_at_17.43.56_2x
sast CleanShot_2023-10-27_at_17.44.31_2x

How to set up and validate locally

  1. In rails console enable the feature flag 
    Feature.enable(:security_policies_variables_precedence)
  2. Go to Secure -> Policies and create a new Scan Execution Policy. Switch to .yaml mode and using the following YAML, define all various scans, each with a different value of the same CI variable: 
    type: scan_execution_policy
name: All scans
description: ''
enabled: true
rules:
  - type: pipeline
    branches:
      - '*'
actions:
  - scan: dast
    site_profile: ''
    scanner_profile: ''
    variables:
      TEST_TOKEN: my-dast-policy-token
  - scan: sast_iac
    variables:
      TEST_TOKEN: my-sast-iac-policy-token
  - scan: dependency_scanning
    variables:
      TEST_TOKEN: my-dependency-scanning-policy-token
  - scan: container_scanning
    variables:
      TEST_TOKEN: my-container-scanning-policy-token
  - scan: secret_detection
    variables:
      TEST_TOKEN: my-secrets-policy-token
  - scan: sast
    variables:
      TEST_TOKEN: my-sast-policy-token
  3. Add a .gitlab-ci.yml file: 
    variables:
  TEST_TOKEN: "my-global-token"
  CI_DEBUG_TRACE: "true"
build-job:
  script:
    - echo "Compiling the code..."
    - echo "Compile complete."
  variables:
    TEST_TOKEN: "my-build-job-token"
  4. Define TEST_TOKEN CI variable on various levels:
  5. Admin -> Settings -> CI/CD -> Variables with value my-instance-token
  6. Group -> Settings -> CI/CD -> Variables with value my-group-token
  7. Project -> Settings -> CI/CD -> Variables with value my-project-token
  8. Go to Pipelines -> Run pipeline. Add TEST_TOKEN variable with value my-manual-pipeline-run-token
  9. Go to the created pipeline and observe the output of each job. Each job should have TEST_TOKEN exported and the last exported value should match the value defined in the policy.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #424028 (closed)

Edited by Martin Čavoj

Merge request reports