Add support for Compliance Pipelines in Security Policies
What does this MR do and why?
This adds an experimental feature that allows to specify a CI configuration as part of a scan execution policy.
The feature is behind the compliance_pipeline_in_policies feature flag.
Note: The demo shows an outdated schema. The property should include scan: custom next to ci_configuration.
Related issue: Spike: Prepare PoC and document limitations for... (#420621 - closed)
How to set up and validate locally
- Create a new project.
- Add a simple CI file to the project:
test1: stage: test script: - echo "This is a test" - Go to Secure -> Policies.
- Select New Policy.
- Select Scan execution policy.
- Switch to **
.yaml mode. - Enter a simple CI configuration as custom scan:
type: scan_execution_policy name: 'test' description: '' enabled: true rules: - type: pipeline branch_type: all actions: - scan: custom ci_configuration: |- test2: stage: test script: - echo "This is a test included from security policy" - Select Configure with a merge request.
- Merge the MR.
- Run a pipeline, your project.
- The pipeline should include two jobs. One from the project CI and one from the security policy CI.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Andy Schoenen