Skip to content

Log failures if schedule pipeline fails to create

Andy Schoenen requested to merge andysoiron/add-logging-to-scan-execution-scheduled-pipelines into master

What does this MR do and why?

The purpose of this MR is to log a message if creating a scheduled scan execution pipeline fails. To do this, some services needed to be changed to be able to return an error or success status.

I'm trying to verify a feature (introduced in !119136 (merged)) that uses bot users to run a scheduled scan execution pipeline. But the pipelines don't appear to be created. To learn more about the failure, I'd like to introduce some logging.

How to set up and validate locally

  1. Create a project
    1. Create a new blank project
    2. Add a simple .gitlab-ci.yml file to the project. (See simple .gitlab-ci.yml example)
    3. Add a package.json file with content {} to the project. This is needed for the SAST scanner to run
  2. Create a new scan execution policy with SAST for the project.
    1. On the left sidebar, select Security & Compliance and Policies
    2. Select New Policy
    3. Select Scan execution policy
    4. For Name choose any name
    5. For Actions choose SAST
    6. For Conditions choose: Screenshot_2023-05-23_at_12.53.19
    7. Alternatively to steps 1 to 6, you can switch to .yaml mode and copy the scan execution policy example below.
    8. Select Configure with a merge request
    9. Merge the MR
  3. Change the owner of the rule schedule to some user that doesn't have access to the project: 
    project = Project.find(YOUR_PROJECT_ID)
rule_schedule = Security::OrchestrationPolicyRuleSchedule.find_by(security_orchestration_policy_configuration: Security::OrchestrationPolicyConfiguration.find_by(project: project))
rule_schedule.update(owner_id 4) # Make sure the user ID used here doesn't have access to the project
  4. Follow the logs by running tail -f log/sidekiq_client.log
  5. Kick of the rule schedule worker 
    Security::OrchestrationPolicyRuleSchedule.update_all(next_run_at: Time.now - 1.day)
Security::OrchestrationPolicyRuleScheduleWorker.new.perform
  6. The logs should show a message like this:
{"severity":"WARN","time":"2023-05-26T19:16:29.531Z","worker":"Security::OrchestrationPolicyRuleScheduleWorker","security_orchestration_policy_configuration_id":36,"user_id":68,"message":"You do not have sufficient permission to run a pipeline on 'main'. Please select a different branch or contact your administrator for assistance. ","retry":0}

Example files

Simple `.gitlab-ci.yml` 
# .gitlab-ci.yml

image: busybox:latest

test1:
  stage: test
  script:
    - echo "Do a test here"
    - echo "For example run a test suite"
scan execution policy 
type: scan_execution_policy
name: test
description: ''
enabled: true
rules:
  - type: schedule
    branches:
      - '*'
    cadence: 0 0 * * *
actions:
  - scan: sast
    tags: []

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Andy Schoenen

Merge request reports