Add `branch_type` support to scan execution policies
What does this MR do and why?
We are adding branch_type
support to security policies (&9468 (closed)).
This MR adds branch_type
support to Scan execution policies.
Currently, security policies specify their targeted branches with the branches
key. The value can be wildcarded, e.g. feature-*
to target mutliple branches. We are now adding branch_type
which accepts one of three values: all
, protected
and default
.
For details on branch_type
, see Proposal.
How to set up and validate locally
-
Create a new group
-
Create a new contained project
-
Enable the feature flag for the project:
Feature.enable(:security_policies_branch_type, Project.last)
-
Commit the following
.gitlab-ci.yml
:dummy_job: script: - exit 0
-
Commit an empty
Gemfile.lock
for Dependency Scanning jobs to execute. -
Navigate to
Repository > Branches
and create the following branches:develop
feature-1
feature-2
legacy
-
Navigate to
Settings > Repository
, expand theProtected branches
section and create the following protected branches:develop
feature-*
type: pipeline
rules
Validating -
On the group level, navigate to
Security and Compliance > Policies
and create the following scan execution policy:type: scan_execution_policy name: Pipeline / Default Branch / Container Scan description: '' enabled: true rules: - type: pipeline branch_type: default actions: - scan: container_scanning variables: CS_IMAGE: "nginx:1"
-
On the project level, navigate to
Security and Compliance > Policies
and create the following scan execution policies:type: scan_execution_policy name: Pipeline / Protected Branches / Secret Detection description: '' enabled: true rules: - type: pipeline branch_type: protected actions: - scan: secret_detection
type: scan_execution_policy name: Pipeline / All Branches / Dependency Scanning description: '' enabled: true rules: - type: pipeline branch_type: all actions: - scan: dependency_scanning
-
Navigate to
CI/CD > Pipelines
, run pipelines for the following branches and verify their jobs:Pipeline branch Jobs main
dummy_job
,container-scanning-0
,secret-detection-1
,gemnasium-dependency-scanning-2
develop
dummy_job
,secret-detection-0
,gemnasium-dependency-scanning-1
feature-1
dummy_job
,secret-detection-0
,gemnasium-dependency-scanning-1
legacy
dummy_job
,gemnasium-dependency-scanning-0
type: schedule
rules
Validating -
On the group or project level, navigate to
Security and Compliance > Policies
and create the following scan execution policies:type: scan_execution_policy name: Scheduled / Protected Branches / DAST description: '' enabled: true rules: - type: schedule cadence: "0 0 * * *" branch_type: protected actions: - scan: dast site_profile: nonexistent scanner_profile: nonexistent
type: scan_execution_policy name: Scheduled / Default Branch / Container Scanning description: '' enabled: true rules: - type: schedule cadence: "0 0 * * *" branch_type: default actions: - scan: container_scanning
-
Clear the previously created pipelines from with
Project.find(ID).all_pipelines.destroy_all
. -
Create
run.rb
with the following contents:PROJECT = Project.find(-1) # replace configs = PROJECT.all_security_orchestration_policy_configurations schedules = Security::OrchestrationPolicyRuleSchedule.where(security_orchestration_policy_configuration_id: configs) schedules.each do |schedule| Security::SecurityOrchestrationPolicies::RuleScheduleService .new(container: schedule.security_orchestration_policy_configuration.project, current_user: User.first) .execute(schedule) end
-
Execute it with
bin/rails runner run.rb
-
Navigate to
CI/CD > Pipelines
and confirm the following (job, branches) pipeline combinations were created:Job Branches container-scanning-0
main
dast-on-demand-0
main
,develop
,feature-1
,feature-2
Other things to try
branches
Validate policies with wildcard -
Add the following scan execution policy:
type: scan_execution_policy name: Pipeline / Wildcard Branch / Container Scanning description: '' enabled: true rules: - type: pipeline branches: ["leg*"] actions: - scan: container_scanning variables: CS_IMAGE: "nginx:1"
-
Navigate to
CI/CD > Pipelines
, run a pipeline for thelegacy
branch and verify its jobs:dummy_job
container-scanning-1
gemnasium-dependency-scanning-0
Validate scan result policies
-
Create the following scan execution policy:
type: scan_result_policy name: Scan Result Policy description: '' enabled: true rules: - type: scan_finding branches: [] scanners: - container_scanning vulnerabilities_allowed: 0 severity_levels: [] vulnerability_states: - new_needs_triage actions: - type: require_approval approvals_required: 1 user_approvers_ids: - 1
-
Add Container Scanning to
.gitlab-ci.yml
on thedevelop
branch:dummy_job: script: - exit 0 include: - template: Security/Container-Scanning.gitlab-ci.yml
-
Open a new Merge Request targeting
develop
and confirm theScan Result Policy
approval rule applies.
Disabling the feature
type: pipeline
rules
Validating -
Ensure the
Pipeline / Wildcard Branch / Container Scanning
policy from above exists. -
Disable the feature:
Feature.disable(:security_policies_branch_type, Project.find(ID)
-
Navigate to
CI/CD > Pipelines
, run a pipeline for thelegacy
branch and verify its jobs:dummy_job
container-scanning-0
type: schedule
rules
Validating -
Ensure you don't have more than 4 scan execution policies, as 5 is the limit per configuration.
-
Create the following scan execution policy:
name: Scheduled / Wildcard Branch / Container Scanning description: '' enabled: true actions: - scan: container_scanning tags: [] rules: - type: schedule cadence: 0 0 * * * branches: - leg*
-
Execute
bin/rails runner run.rb
-
Verify the
container-scanning-0
is the only job in the pipeline.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #404774 (closed)