Skip to content

Add pipeline execution policy schedule run

Andy Schoenen requested to merge 472671-scheduled-scan-execution-policy-poc into master

What does this MR do and why?

This is a POC to makes it possible to run pipeline execution policies on a schedule. It is behind the scheduled_pipeline_execution_policies feature flag.

I tried to re-use some parts of the existing logic scan execution policy schedule logic. I extended the Security::OrchestrationPolicyRuleSchedule model to work for multiple policy types. Based on this we can store and process schedule rules for pipeline execution policies.

To configure the schedule, there is a new strategy type schedule. If it is selected, a new field trigger is required to define the branches to trigger and the cadence for the schedule.

With the schedule, only the jobs defined in this particular pipeline execution policy will be triggered, no other jobs will be included.

Before this feature can be release on production, we have to:

  • Move pipeline creation to a separate worker.
  • Created and resolve follow-ups based on comments in this MR.
  • Multiple schedule policies will not work.
  • Remove 'all' as branch type.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Enable the feature flag 
    echo "Feature.enable(:scheduled_pipeline_execution_policies)" | rails c
  2. Create a group
  3. Create a project in the group
  4. Create a policy-ci.yml file with the following content: 
    policy job:
  stage: build
  script:
    - echo "Do your policy script here"
  5. Create a .gitlab/security-policies/policy.yml file with the following content: 
    ---
pipeline_execution_policy:
- name: pipeline execution
  description: ''
  enabled: true
  pipeline_config_strategy: schedule
  trigger:
    cadence: '0 10 * * *'
    branch_type: 'all'
  content:
    include:
    - project: your-group/your-project
      file: policy-ci.yml
  6. Replace your-group/your-project with the path to your project.
  7. On the groups left sidebar, select Security & Compliance and Policies.
  8. Select Edit policy project
  9. Select the project you created in step 3.
  10. Create another new project for the group.
  11. Trigger the scheduled run via rails console: 
    Security::OrchestrationPolicyRuleSchedule.update_all(next_run_at: 1.day.ago)
Security::OrchestrationPolicyRuleScheduleWorker.new.perform
  12. On the left sidebar, select Build -> Pipelines.
  13. There should be a new pipeline triggered by the security policy bot containing the policy job. It may take a few minutes for the pipeline to appear.

Related to #472671 (closed)

Edited by Andy Schoenen

Merge request reports