Skip to content

Send an audit event when scheduled sep policy can not be enforced

Marcos Rocharequested to merge
mc_rocha-audit-events-policies-could-not-be-enforced-561047 into master

What does this MR do and why?

This MR triggers a new audit event when a scheduled pipeline for scan execution policies could not be created. In the scope of this MR, we are considering the scenario in which we have sufficient data to try to create a pipeline. The cases when some of the data is not available at the time the schedule is processed are out of the scope of this MR.

References

Related to #561047

How to set up and validate locally

  1. Enable the feature flag
Feature.enable(:collect_scheduled_security_policy_not_enforced_audit_events)
  1. Create a new project
  2. Go to Settings > General
  3. Expand the Visibility, project features, permissions section
  4. Scroll to Repository and disable CI/CD
  5. Click on save changes
  6. Go to Secure Policies
  7. Click on New policy
  8. Select scan execution policy
  9. Create a scheduled scan execution policy with the content
scan_execution_policy:
  - name: scheduled sep
    description: ''
    enabled: true
    rules:
      - type: schedule
        cadence: 0 0 * * *
        branch_type: protected
        timezone: Etc/UTC
        time_window:
          distribution: random
          value: 36000
    actions:
      - scan: secret_detection
        template: latest
        variables:
          SECURE_ENABLE_LOCAL_CONFIGURATION: 'false'
    skip_ci:
      allowed: true
  1. Create a private webhook receiver.

11.1. Create a script called print_http_body.rb

require 'webrick'

server = WEBrick::HTTPServer.new(:Port => ARGV.first)
server.mount_proc '/' do |req, res|
  puts "=== Received Audit Event ==="
  puts req.body
  puts "=========================="
end

trap 'INT' do
  server.shutdown
end
server.start

11.2. Start the script

ruby print_http_body.rb 8000
  1. Go to Admin > Monitoring > Audit events
  2. Click on the Streams tab
  3. Click on Add streaming destination
  4. Click on HTTP endpoint
  5. Set the destination URL to your listener e.g: http://localhost:8000/
  6. Click on Add
  7. Trigger the scheduled policy using the rails console
Security::ScanExecutionPolicies::CreatePipelineWorker.new.perform(Project.second_to_last.id, 1, Security::OrchestrationPolicyRuleSchedule.last.id, 'main')
  1. Verify that a audit event for pipeline failure was received in your private listener
{
  "id": "1ec13896-9481-43c6-b715-192d4599e59a",
  "author_id": 181,
  "entity_id": 174,
  "entity_type": "Project",
  "details": {
    "target_branch": "main",
    "project_id": 173,
    "project_name": "test-pipelines-disabled-audit-events",
    "project_full_path": "root/test-pipelines-disabled-audit-events",
    "skipped_policy": {
      "name": "scheduled sep",
      "policy_type": "scan_execution_policy"
    },
    "event_name": "security_policy_scheduled_scans_not_enforced",
    "author_name": "GitLab Security Policy Bot",
    "author_class": "User",
    "target_id": 1,
    "target_type": "Security::OrchestrationPolicyRuleSchedule",
    "target_details": "1",
    "custom_message": "Schedule: 1 created by security policies could not be enforced",
    "ip_address": null,
    "entity_path": "root/test-pipelines-disabled-audit-events-security-policy-project"
  },
  "ip_address": "",
  "author_name": "GitLab Security Policy Bot",
  "entity_path": "root/test-pipelines-disabled-audit-events-security-policy-project",
  "target_details": "1",
  "created_at": "2025-08-18T12:46:14.076Z",
  "target_type": "Security::OrchestrationPolicyRuleSchedule",
  "target_id": 1,
  "event_type": "security_policy_scheduled_scans_not_enforced"
}

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Marcos Rocha

Merge request reports