Skip to content

Trigger worker on push when the linked PEP project config changes

Martin Cavojrequested to merge
498624-account-for-configured-pipeline-execution-policies-when-scan-is-missing-in-merge-request-4 into master

What does this MR do and why?

Trigger worker on push when the linked PEP project config changes.

This change allows us to update pipeline execution policy metadata when a policy CI configuration changes to know which scanners are enforced by a pipeline execution policy.

References

Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Enable feature flag pipeline_execution_policy_analyze_configs
  2. Create a project SPP
  3. In the project, create policy-ci.yml: 
    include:
  - template: Jobs/Dependency-Scanning.gitlab-ci.yml

policy-test-job:
  stage: test
  script:
    - echo 'Policy test job 1'
  4. Create another project
  5. In this project, go to Secure -> Policies and link the project SPP from step 2. as a policy project
  6. Create a new pipeline execution policy: 
    pipeline_execution_policy:
  - name: Enforced scans
    description: ''
    enabled: true
    pipeline_config_strategy: inject_ci
    content:
      include:
        - project: <path-to-spp-project>
          file: policy-ci.yml
  7. Save the policy
  8. Verify using rails console that the metadata has been updated with enforced_scans: ['dependency_scanning']: 
    Security::Policy.last.metadata
  9. Update the policy-ci.yml directly in the repository, changing the included scanner templates
  10. Verify that the metadata in the policy has been updated

Related to #498624 (closed)

Edited by Martin Cavoj

Merge request reports