Remove rules to disable job when enforced by security policies
What does this MR do and why?
This MR fixes the problem where there was a possibility to disable jobs by using _DISABLED
variables in certain scenarios. In this MR we are removing the rule that is checking this, so we will not be able to set any variable that disables a job enforced by security policy.
How to set up and validate locally
- Create new project, add
Gemfile.lock
, some file with*.rb
extension and create simple.gitlab-ci.yml
file with one job:variables: DOCKER_IMAGE: nginx:1.18.0 simple-job: script: - echo "Simple job..."
- Create Scan Execution Policy for the project (create and merge MR after going to
Security & Compliance
->Policies
->New Policy
->Scan Execution Policy
), select all scanners. - Try to disable them using multiple ways to do it:
- Settings -> CI/CD -> Variables -> Set
DAST_DISABLED
,CONTAINER_SCANNING_DISABLED
, etc. to"true"
- Add to
.gitlab-ci.yml
filevariables:
section with same variables as in point 1. set to"true"
- Add to policy configuration for each
action
variables:
section with same variables as in point 1. set to"true"
- Settings -> CI/CD -> Variables -> Set
- After each step run the pipeline to see any of enforced jobs are disabled (are not running)
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #377540 (closed)
Edited by Alan (Maciej) Paruszewski