Add skipped security policies pipelines audit event
What does this MR do and why?
This MR adds audit events for skipped pipelines where scan_execution or pipeline_execution policies should be enforced.
References
Related to: #539232 (closed)
How to set up and validate locally
- Enable the feature flag
collect_security_policy_skipped_pipelines_audit_eventsusing the rails console
Feature.enable(:collect_security_policy_skipped_pipelines_audit_events)- Create a new group
- Create a new project in the group
- Add a CI config file
policy-ci.ymlwith the content
pipeline execution policy job:
stage: .pipeline-policy-pre
script:
- echo "Enforce your policy here"- Add a
.gitlab/security-policies/policy.ymlfile with the content:
---
pipeline_execution_policy:
- name: test
description: ''
enabled: true
pipeline_config_strategy: override_project_ci
content:
include:
- project: <path-to-your-project>/project
file: policy-ci.yml
skip_ci:
allowed: true- Go back to the group created on step 2
- Go to Secure > Policies
- Click on
Edit policy projectand select your project. - Create another project in the group
- Go to Secure > Policies
- Click on New policy
- Select Scan Execution Policy
- Create a policy with
skip_cienabled:
scan_execution_policy:
- name: sep-skip-ci-test
description: ''
enabled: true
rules:
- type: pipeline
branch_type: default
actions:
- scan: secret_detection
variables:
SECURE_ENABLE_LOCAL_CONFIGURATION: 'false'
skip_ci:
allowed: true- Click on Create new project with the new policy
- Merge the new MR to add the policy
- Create a private webhook receiver.
16.1. Create a script called print_http_body.rb
require 'webrick'
server = WEBrick::HTTPServer.new(:Port => ARGV.first)
server.mount_proc '/' do |req, res|
puts req.body
end
trap 'INT' do
server.shutdown
end
server.start16.2. Start the script
ruby print_http_body.rb 8000- Go to Admin > Monitoring > Audit events
- Click on the Streams tab
- Click on Add streaming destination
- Click on HTTP endpoint
- Set the destination URL to your listener e.g:
http://localhost:8000/ - In event filtering select
Policy pipeline skipped - Click on Add
- Go back to the project created on step 9
- Create a MR editing the
README.mdfile with commit message containing[skip ci] - Verify that NO pipeline is created
- Verify the audit event was received in your private listener
{
"id": "dadc4fed-a6da-4f8f-b886-b8bb352b9d98",
"author_id": 1,
"entity_id": 135,
"entity_type": "Project",
"details": {
"merge_request_title": "[skip ci]Edit README.md",
"merge_request_id": 354,
"merge_request_iid": 1,
"source_branch": "root-main-patch-20460",
"target_branch": "main",
"project_id": 135,
"project_name": "sep-project",
"project_full_path": "test-skip-execution-policies-audit-event/sep-project",
"skipped_policies": [
{
"name": "sep",
"policy_type": "scan_execution_policy"
},
{
"name": "sep-skip-ci-test",
"policy_type": "scan_execution_policy"
},
{
"name": "test",
"policy_type": "pipeline_execution_policy"
}
],
"event_name": "policy_pipeline_skipped",
"author_name": "Administrator",
"author_class": "User",
"target_id": 919,
"target_type": "Ci::Pipeline",
"target_details": "unknown",
"custom_message": "Pipeline: 919 with security policy jobs skipped",
"ip_address": "172.16.123.1",
"entity_path": "test-skip-execution-policies-audit-event/sep-project"
},
"ip_address": "172.16.123.1",
"author_name": "Administrator",
"entity_path": "test-skip-execution-policies-audit-event/sep-project",
"target_details": "unknown",
"created_at": "2025-06-30T22:40:08.489Z",
"target_type": "Ci::Pipeline",
"target_id": 919,
"event_type": "policy_pipeline_skipped"
}MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Edited by Marcos Rocha