Skip to content

Add selection between templates in Scan Execution Policies

Alan (Maciej) Paruszewski requested to merge 415427-add-ability-to-select-between-latest-and-default-templates-in-sep into master

What does this MR do and why?

This MR adds the ability to select template in Scan Execution Policies to specify if a given scan should be enforced using the latest security template or the default one.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Enable scan_execution_policies_with_latest_templates feature flag (in rails console: Feature.enable :scan_execution_policies_with_latest_templates)
  2. Create new project
  3. Add .gitlab-ci.yml file and workflow:rules to disable regular push pipelines (https://docs.gitlab.com/ee/ci/yaml/workflow.html#switch-between-branch-pipelines-and-merge-request-pipelines): 
    test-job:
  script:
  - echo "TEST"

workflow:
  rules:
    - if: $CI_PIPELINE_SOURCE == "push"
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
  4. Create new Scan Execution Policy (Go to Secure -> Policies -> Create new -> Scan Execution Policy) (you can use container scanning with CS_IMAGE variable set to alpine:3.12.0)
  5. Go to YAML mode and for selected scan add template: latest
  6. Go to your project, create simple README file change and create MR for that change. You'll notice that new pipeline is only created with merge_request label and that is the only pipeline created.

Related to #415427 (closed)

Edited by Alan (Maciej) Paruszewski

Merge request reports