Handle missing gitlab-ci.yml files using compliance pipelines

Problem

Applying a compliance framework label to projects with a missing .gitlab-ci.yml file will cause compliance pipelines to fail:

[A customer] found that if the compliance pipeline is set to a project that does not have a .gitlab-ci.yml, it fails with a file .gitlab-ci.yml does not exist!“ They have many projects that don’t have .gitlab-ci.yml but should undergo our SAST scanners for compliance. Is there a way to make that include dependent on whether a .gitlab-ci.yml exists?

Examples

Failed pipeline - missing file, delete the .gitlab-ci.yml file.

Investigation

In compliance-pipeline.gitlab-ci.yml there is an include: to look for this file, which may be causing the error when it's missing.

include:
    - template: Security/SAST.gitlab-ci.yml
    - project: '$CI_PROJECT_PATH'
      file: '$CI_CONFIG_PATH'

Implementation Plan/Investigation

• GitLab CI cannot create pipelines when .gitlab-ci.yml does not exist in a project, even if the project is subject to compliance framework forced includes. This is expected!
• However, in the case of projects that are subject to compliance framework include: blocks, we could temporarily create an empty .gitlab-ci.yml file which is then merged with the compliance configuration.
  • This would silence the error saying that the CI config file doesn't exist and perform the compliance check too.
• Update documentation example to leverage the approach to handle missing gitlab-ci.yml files.
  • We expect users to copy & paste that section frequently, so updating the example helps save users some steps.

References

Slack discussion

cc: @stkerr