Remove rules to disable job when enforced by security policies (!106965) · Merge requests · GitLab.org / GitLab

Alan (Maciej) Paruszewski requested to merge 377540-remove-rules-for-disabling-jobs-in-security-policies into master Dec 14, 2022

What does this MR do and why?

This MR fixes the problem where there was a possibility to disable jobs by using _DISABLED variables in certain scenarios. In this MR we are removing the rule that is checking this, so we will not be able to set any variable that disables a job enforced by security policy.

How to set up and validate locally

Create new project, add Gemfile.lock, some file with *.rb extension and create simple .gitlab-ci.yml file with one job:
```
variables:
  DOCKER_IMAGE: nginx:1.18.0

simple-job:
  script:
  - echo "Simple job..."
```
Create Scan Execution Policy for the project (create and merge MR after going to Security & Compliance -> Policies -> New Policy -> Scan Execution Policy), select all scanners.
Try to disable them using multiple ways to do it:
1. Settings -> CI/CD -> Variables -> Set DAST_DISABLED, CONTAINER_SCANNING_DISABLED, etc. to "true"
2. Add to .gitlab-ci.yml file variables: section with same variables as in point 1. set to "true"
3. Add to policy configuration for each action variables: section with same variables as in point 1. set to "true"
After each step run the pipeline to see any of enforced jobs are disabled (are not running)

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Related to #377540 (closed)

Edited Jan 10, 2023 by Alan (Maciej) Paruszewski

Remove rules to disable job when enforced by security policies

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports