Scan execution policy runs pipeline on branches other than configured
Summary
Customer reported having issues with scan execution policy. They have configure the policy to run on default branches
only, but it ran on all pipelines causing pipeline failures.
This is happening on gitlab.com and can be reproduced. See sample project even when using specific branch name pipeline is executed.
See sample policy
name: Secret detection scan
description: ''
enabled: true
actions:
- scan: secret_detection
tags:
- linux
rules:
- type: pipeline
branches:
- main
Steps to reproduce
- Create a policy to run on specific branches, or default
- Create a different branch, and push code
- Pipeline will run
Example Project
https://gitlab.com/gerardo_ultimate_group/tickets/510886/-/security/policies
What is the current bug behavior?
Scan execution policy runs pipeline on branches other than configured
What is the expected correct behavior?
Scan execution policy should run pipeline only on configured branches
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)