Skip to content

Allow remote CI file for security policy custom yaml

Andy Schoenen requested to merge 424485-allow-remote-CI-configuration-files-for-security-policy-compliance-pipelines into master

What does this MR do and why?

In !126457 (merged) we added the possibility to define custom CI yaml in a security policy that will be injected into a pipeline. The feature is experimental and behind the compliance_pipeline_in_policies feature flag.

This MR improves the feature so users can define an external file for the custom yaml.

To archive this we:

  • Change the security policy schema to allow a ci_configuration_path configuration that takes project, path and ref.
  • Use Gitlab::Ci::Config::External::Processor to load the external file.
  • Pass down the CI context to Security::SecurityOrchestrationPolicies::CiConfigurationService so we can check if the user can access the external CI file.

How to set up and validate locally

  1. Enable the compliance_pipeline_in_policies feature flag
  2. Create a private project
  3. Add a custom CI file to the project. Example: 
    custom:
  stage: test
  script:
    - echo "This is a test included from security policy"
  4. Create another project with a simple .gitlab-ci.yml file. The CI file is needed so the project can run pipelines. Example: 
    build1:
  stage: build
  script:
    - echo "Do your build here"
  5. Create a scan execution policy for the project Secure -> Policies -> New policy -> Scan execution policy
  6. Switch to .yaml mode
  7. Paste the following example and replace file and project with the paths to your custom CI file and project: 
    type: scan_execution_policy
name: test custom yaml
description: ''
enabled: true
rules:
  - type: pipeline
    branch_type: all
actions:
  - scan: custom
    ci_configuration_path:
      file: path/to/ci_file.yaml
      project: path/to/project
      ref: main
  8. Select Configure with a merge request and merge the MR.
  9. Go back to the project and start a pipeline.
  10. The pipeline should now have two jobs. One from the project and one from the security policy.
  11. Log in as another user that has developer access to the main project but not to the custom CI project.
  12. Run a pipeline again. This should now fail with a message like: "Project ... not found or access denied! ..."

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #424485 (closed)

Edited by Andy Schoenen

Merge request reports