Skip to content

Fix scan policy enforcement

Marcos Rocha requested to merge mc_rocha-fix-scan-exec-policies-enforcement into master

What does this MR do and why?

The changes introduced by MR !121087 (merged) incorrectly create pipelines with an invalid configuration when the only active policy rule is a scheduled pipeline.

The error was discussed here.

We should not enforce the security scans if the active policy rule is a scheduled pipeline.

This MR improves the scan policy enforcement check to exclude policies containing only scheduled pipelines rules.

Related to issue: #419195 (closed)

How to set up and validate locally

  1. Create a new group
  2. Configure a group-level scan execution policy with the following YAML example:
type: scan_execution_policy
name: schedule policy
description: ''
enabled: true
actions:
- scan: secret_detection
  tags: []
rules:
- type: schedule
  cadence: "*/5 * * * *"
  branches:
  - main
  - master
  timezone: Etc/UTC
  1. Ensure that Auto-DevOps is disabled either at the group or instance level.
  2. Create a new empty project, but allow a README.md file to be created.
  3. Navigate to Build > Pipelines
  4. Wait a couple of minutes and the scheduled pipeline will run
  5. Verify the pipeline created has the security_orchestration_policy source
rails c
 Ci::Pipeline.last.source
  1. Verify no pipeline that contains no jobs were created

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Marcos Rocha

Merge request reports

Loading