Fix policy variables in scheduled pipelines
What does this MR do and why?
This MR fixes policy variables in scheduled pipelines. The bug was introduced when we enabled security_policies_variables_precedence by default !139828 (merged), because active_policies_scan_actions_for_project used in variables builder was filtering only for pipeline rules.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
| Before | After |
|---|---|
 |
 |
How to set up and validate locally
- Create a project
- Create
.gitlab-ci.yml:build_job: script: echo 'build' - Under Settings -> CI/CD, create a new variable
CI_REGISTRY_IMAGEwith valuecitizenstig/dvwa - Under Secure -> Policies, create a new policy:
type: scan_execution_policy name: Container scanning with variables description: '' enabled: true actions: - scan: container_scanning variables: CS_IMAGE: '$CI_REGISTRY_IMAGE:${CI_COMMIT_REF_SLUG}-${CI_COMMIT_SHORT_SHA}' SECURE_LOG_LEVEL: debug CI_DEBUG_TRACE: 'true' rules: - type: schedule cadence: '*/15 * * * *' branch_type: default - Open rails console and trigger the scheduled build manually:
Security::OrchestrationPolicyRuleSchedule.last.update_columns next_run_at: 1.minute.ago Security::OrchestrationPolicyRuleScheduleWorker.new.perform - Go to the new pipeline and verify that variables were set (
CI_DEBUG_TRACEshould print out all variables) - Trigger a pipeline on
mainand verify that onlybuild_jobis present