Skip to content

Assign default security policy stage

Andy Schoenen requested to merge 440141-assign-default-stage-to-security-policy-jobs into master

What does this MR do and why?

This MR:

  • Assignes security policy CI jobs to the .pipeline-policy-test stage by default if no other stage is defined for the job.
  • Removes the ability to use the stages keyword from the security policy config because they can not be merged with the project config.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Create a group.

  2. Go to Settings -> General.

  3. Toggle the Permissions and group features section.

  4. Enable Security policy pipeline execution action.

  5. Create a project

  6. On the left sidebar, select Secure and then Policies.

  7. Select New Policy.

  8. Select Scan execution policy.

  9. Switch to .yaml mode and enter the following policy:

    type: scan_execution_policy
name: test
description: ''
enabled: true
rules:
  - type: pipeline
    branch_type: all
actions:
  - scan: custom
    ci_configuration: |-
      stages:               # This will be ignored
        - custom_stage      # This as well
      test job:
        script:
          - echo 'Hello World'

  10. Select Configure with a merge request.

  11. Merge the MR.

  12. Go back to the project and start a new pipeline.

  13. The pipeline should not have a custom_stage stage and test job should be in the .pipeline-policy-test stage.

  14. Adding stage: xyz if there's a stage xyz present in the pipeline will add the test job to that stage

Related to #440141 (closed)

Edited by Max Fan

Merge request reports