Adding a new tag for projects with scan policies creates invalid pipelines
Adding a new tag creates invalid pipelines in the project under the following conditions:
-
scan_execution_policy
enabled - Auto DevOps disabled
- no
.gitlab-ci.yml
file
Investigating the error, it seems that ProjectConfig::SecurityPolicyDefault
considers that we should trigger a pipeline to enforce the police scans. However, during the configuration merge process, SecurityOrchestrationPolicies::Processor
does not find an applicable policy for the given ref. The policy seems to apply only to branches, not to tags.
I believe we should not trigger a pipeline in this case.
Steps to reproduce
- Create a new project with a
README.md
file - Make sure the project does not have a
.gitlab-ci.yml
and the Auto DevOps is disabled - Update the readme file
- Create a new scan execution policy with the content
type: scan_execution_policy
name: se
description: ''
enabled: true
rules:
- type: pipeline
branch_type: all
actions:
- scan: secret_detection
- Go Code > Tags
- Add a new tag
A pipeline with an invalid yaml will be created.