Skip to content

Exclude deleted projects from scan execution rule

Andy Schoenen requested to merge 402134/exclude-projects-marked-for-deletion-from-scan-execution-pipelines into master

What does this MR do and why?

Projects that are marked for deletion can not run pipelines and are ready only, so they can be excluded from schedule scan execution pipelines.

I started working on this as a bug fix for #402134 (closed), but the bug seems to be fixed already (See #402134 (comment 1385812963)). I think it is still a performance improvement to not try to start a pipeline for projects scheduled for deletion in the first place.

How to set up and validate locally

  1. Create a group.
  2. Enable instance wide delayed project deletion
  3. Add projects to the group:
    1. Create a new blank project in the group
    2. Add a simple .gitlab-ci.yml file to the project. (See simple .gitlab-ci.yml example)
    3. Add a package.json file with content {} to the project. This is needed for the SAST scanner to run
    4. 4 times, create a new project and import from the first one.
  4. Create a new scan execution policy with SAST.
    1. On the Group level left sidebar, select Security & Compliance and Policies
    2. Select New Policy
    3. Select Scan execution policy
    4. For Name choose any name
    5. For Actions choose SAST
    6. For Conditions choose: Screenshot_2023-05-23_at_12.53.19
    7. Alternatively to steps 1 to 6, you can switch to .yaml mode and copy the scan execution policy example below.
    8. Select Configure with a merge request
    9. Merge the MR
  5. If you haven't already, set up a runner with docker
  6. To reset the timer and trigger the schedule worker, run:
Security::OrchestrationPolicyRuleSchedule.update_all(next_run_at: Time.now - 1.day)
Security::OrchestrationPolicyRuleScheduleWorker.new.perform
  1. This should create a new pipeline in every project.
  2. Delete project 3
  3. Again run:
Security::OrchestrationPolicyRuleSchedule.update_all(next_run_at: Time.now - 1.day)
Security::OrchestrationPolicyRuleScheduleWorker.new.perform
  1. The pipeline should be started in all the remaining projects.

Example files

Simple `.gitlab-ci.yml` 
# .gitlab-ci.yml

image: busybox:latest

test1:
  stage: test
  script:
    - echo "Do a test here"
    - echo "For example run a test suite"
scan execution policy 
type: scan_execution_policy
name: test
description: ''
enabled: true
rules:
  - type: schedule
    branches:
      - '*'
    cadence: 0 0 * * *
actions:
  - scan: sast
    tags: []

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Andy Schoenen

Merge request reports