Skip to content

Allow security reports ingestion for pipelines blocked by manual jobs

Bala Kumar requested to merge 346843-bk-allow-security-reports-in-incomplete-state into master

What does this MR do and why?

Allows security reports, SBOM reports and approval rules to be run when a pipeline is blocked by manual jobs.

We are rolling it out with a FF as there are lot of places in code whose completion context will be changed now to include manual state as well.

This implementation is inline with the proposal #439691 (closed) plan.

Screenshots or screen recordings

Before After
Screenshot_2024-02-09_at_2.59.44_AM Screenshot_2024-02-09_at_2.57.11_AM
Screenshot_2024-02-09_at_5.02.42_PM Screenshot_2024-02-09_at_5.16.15_PM

How to set up and validate locally

Set-up:

  1. Can be setup by importing project https://gitlab.com/gitlab-org/govern/threat-insights-demos/verification-projects/439691-reports-blocked-by-manual-jobs

Validation steps:

With FF:
  1. For the imported project in Rails console enable the FF 
      > imported_project = Project.find(<project_id_of_imported_project>)
  > Feature.enable(:include_manual_to_pipeline_completion, imported_project)
  2. Run a pipeline on the main branch and allow the pipeline to show blocked status.
  3. Refresh the same pipeline page and now visit the security tab and we should observe the vulnerabilities being displayed.
  4. Open the MR that is already imported from the project which introduces a new vulnerability (See: gitlab-org/govern/threat-insights-demos/verification-projects/439691-reports-blocked-by-manual-jobs!1).
  5. Run a new pipeline on the MR and wait for the pipeline state to change to blocked and refresh the MR page and we should observe that the MR security widget is showing one new critical vulnerability being detected.
Without FF;
  1. For the imported project in rails console disable the FF > Feature.disable(:include_manual_to_pipeline_completion, <imported_project>)
  2. Run a pipeline on the main branch and allow the pipeline to show blocked status.
  3. Refresh the same pipeline page and now visit the security tab and we should not observe the vulnerabilities being displayed.
  4. Now run the manual job and wait for the pipeline to complete.
  5. Refresh the same pipeline page and now visit the security tab and we should observe the vulnerabilities being displayed.
  6. Open the MR that is already imported from the project which introduces a new vulnerability (See: gitlab-org/govern/threat-insights-demos/verification-projects/439691-reports-blocked-by-manual-jobs!1).
  7. Run a new pipeline on the MR and wait for the pipeline state to change to blocked and refresh the MR page and we should observe that the MR security widget is showing a parsing error.

Related to #439691 (closed) #346843 (closed)

Edited by Bala Kumar

Merge request reports