Allow remote CI file for security policy custom yaml
requested to merge 424485-allow-remote-CI-configuration-files-for-security-policy-compliance-pipelines into master
What does this MR do and why?
In !126457 (merged) we added the possibility to define custom CI yaml in a security policy that will be injected into a pipeline. The feature is experimental and behind the compliance_pipeline_in_policies
feature flag.
This MR improves the feature so users can define an external file for the custom yaml.
To archive this we:
- Change the security policy schema to allow a
ci_configuration_path
configuration that takesproject
,path
andref
. - Use
Gitlab::Ci::Config::External::Processor
to load the external file. - Pass down the CI context to
Security::SecurityOrchestrationPolicies::CiConfigurationService
so we can check if the user can access the external CI file.
How to set up and validate locally
- Enable the
compliance_pipeline_in_policies
feature flag - Create a private project
- Add a custom CI file to the project. Example:
custom: stage: test script: - echo "This is a test included from security policy"
- Create another project with a simple
.gitlab-ci.yml
file. The CI file is needed so the project can run pipelines. Example:build1: stage: build script: - echo "Do your build here"
- Create a scan execution policy for the project Secure -> Policies -> New policy -> Scan execution policy
- Switch to .yaml mode
- Paste the following example and replace
file
andproject
with the paths to your custom CI file and project:type: scan_execution_policy name: test custom yaml description: '' enabled: true rules: - type: pipeline branch_type: all actions: - scan: custom ci_configuration_path: file: path/to/ci_file.yaml project: path/to/project ref: main
- Select Configure with a merge request and merge the MR.
- Go back to the project and start a pipeline.
- The pipeline should now have two jobs. One from the project and one from the security policy.
- Log in as another user that has developer access to the main project but not to the custom CI project.
- Run a pipeline again. This should now fail with a message like: "Project
...
not found or access denied! ..."
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #424485 (closed)
Edited by Andy Schoenen