Skip to content

Change security pipeline execution policy stages strategy

Andy Schoenen requested to merge 440141-inject-pipeline-execution-stages into master

What does this MR do and why?

This changes the strategy for handling stages in pipeline execution policies. It is no longer possible to define custom stages. Instead default stages will be injected. This is to make the feature more stable and avoid confusion when merging stages definitions.

As a next step, we want to:

  • Assign jobs to the .pipeline-policy-test stage by default
  • Disallow jobs coming from the project CI configuration to be assigned to one of the .pipeline-policy-* stages.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Create a group.
  2. Go to Settings -> General.
  3. Toggle the Permissions and group features section.
  4. Enable Security policy pipeline execution action.
  5. Create a project in the group with the following .gitlab-ci.yml file:
    pre job:
      stage: .pre
      script:
        - echo "Hello World"

    build job:
      stage: build
      script:
        - echo "Hello World"

    test job:
      stage: test
      script:
        - echo "Hello World"

    deploy job:
      stage: deploy
      script:
        - echo "Hello World"
        
    post job:
      stage: .post
      script:
        - echo "Hello World"
  1. On the left sidebar, select Security & Compliance and Policies.
  2. Select New Policy.
  3. Select Scan execution policy.
  4. Switch to .yaml mode and enter the following policy:
    type: scan_execution_policy
    name: test
    description: ''
    enabled: true
    rules:
      - type: pipeline
        branch_type: all
    actions:
      - scan: custom
        ci_configuration: |-
          pre policy:
            stage: .pipeline-policy-pre
            script:
              - echo 'Hello World'

          test policy:
            stage: .pipeline-policy-post
            script:
              - echo 'Hello World'

          post policy:
            stage: .pipeline-policy-test
            script:
              - echo 'Hello World'
  1. Select Configure with a merge request.
  2. Merge the MR.
  3. Go back to the project and start a new pipeline.
  4. The pipeline should have the following stages in the right order
    1. .pipeline-policy-pre
    2. .pre
    3. build
    4. test
    5. .pipeline-policy-test
    6. deploy
    7. .post
    8. .pipeline-policy-post

Related to #440141 (closed)

Edited by Andy Schoenen

Merge request reports