Avoid deep merging security policy CI
What does this MR do and why?
CI configured in a pipeline execution policy ('custom' scan type), will be merged with the project CI before a pipeline runs. A deep merge, means that attributes can be injected in a job from the project CI.
For example, if the project CI defines a job with the same title as a security policy CI with a 'before_script'. The before script will be executed as part of the job.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
- Create a group
- Go to Settings -> General
- Toggle the Permissions and group features section
- Enable Security policy pipeline execution action
- Create a project
- Add a
.gitlab-ci.yml
file containing a variable:build job: stage: build script: - echo "Project CI" before_script: - echo "Injected from project CI"
- Go to Secure -> Policies
- Select New policy
- Select Scan execution policy
- Switch to .yaml mode and paste the following policy:
type: scan_execution_policy name: Compliance description: '' enabled: true rules: - type: pipeline branch_type: all actions: - scan: custom ci_configuration: |- build job: stage: build script: - echo "Security policy CI"
- Select Configure with a merge request and merge the MR
- On the project page, Select Build -> Pipelines
- Select Run pipeline
- Inspect the build job logs.
- Observe that the before script defined in the project CI is not executed.
Related to #439337 (closed)
Edited by Andy Schoenen