Fix scan policy enforcement
What does this MR do and why?
The changes introduced by MR !121087 (merged) incorrectly create pipelines with an invalid configuration when the only active policy rule is a scheduled pipeline.
The error was discussed here.
We should not enforce the security scans if the active policy rule is a scheduled pipeline.
This MR improves the scan policy enforcement check to exclude policies containing only scheduled pipelines rules.
Related to issue: #419195 (closed)
How to set up and validate locally
- Create a new group
- Configure a group-level scan execution policy with the following YAML example:
type: scan_execution_policy
name: schedule policy
description: ''
enabled: true
actions:
- scan: secret_detection
tags: []
rules:
- type: schedule
cadence: "*/5 * * * *"
branches:
- main
- master
timezone: Etc/UTC
- Ensure that Auto-DevOps is disabled either at the group or instance level.
- Create a new empty project, but allow a README.md file to be created.
- Navigate to Build > Pipelines
- Wait a couple of minutes and the scheduled pipeline will run
- Verify the pipeline created has the
security_orchestration_policy
source
rails c
Ci::Pipeline.last.source
- Verify no pipeline that contains no jobs were created
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Marcos Rocha