Fix scan execution policy CI variables for pipelines
What does this MR do and why?
This MR allows SECRET_DETECTION_HISTORIC_SCAN
variable to be set for secret detection scans in scan execution policies for regular pipelines.
This fix the bug when a user added the CI variable SECRET_DETECTION_HISTORIC_SCAN: 'true'
, but the secret detection job in the pipeline did not use the variable value.
Related to #420332 (closed)
Screenshots or screen recordings
Before | After |
---|---|
How to set up and validate locally
- Create a new project
- Navigate to Secure => Policies => New policy => Scan execution
- Create a policy like:
type: scan_execution_policy
name: Secret Detection Execution
description: ''
enabled: true
rules:
- type: pipeline
branch_type: all
actions:
- scan: secret_detection
variables:
SECRET_DETECTION_HISTORIC_SCAN: 'true'
SECURE_LOG_LEVEL: debug
SECRET_DETECTION_RULESET_GIT_REFERENCE: >-
$USER_EXT_RULESET_SEC_POL:$EXT_RULESET_SEC_POL@gitlab.com/roche/playground/gitlab-duo/group-security-policies
scan_result_policy:
- name: Found Secret Block
description: ''
enabled: true
rules:
- type: scan_finding
scanners:
- secret_detection
vulnerabilities_allowed: 0
severity_levels:
- critical
- high
vulnerability_states:
- new_needs_triage
- new_dismissed
branch_type: protected
actions:
- type: require_approval
approvals_required: 1
user_approvers_ids:
- 1
- Save the policy, merge it.
- Add a
.gitlab-ci.yml
like:
test-job:
script:
- echo "Test Job..."
- Wait for the pipeline execution
- Inspect the secret detection job logs and look for the
SECRET_DETECTION_HISTORIC_SCAN
value. It should betrue
as defined in the policy.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Marcos Rocha