Skip to content

Fix scan execution policy CI variables for pipelines

What does this MR do and why?

This MR allows SECRET_DETECTION_HISTORIC_SCAN variable to be set for secret detection scans in scan execution policies for regular pipelines.

This fix the bug when a user added the CI variable SECRET_DETECTION_HISTORIC_SCAN: 'true', but the secret detection job in the pipeline did not use the variable value.

Related to #420332 (closed)

Screenshots or screen recordings

Before After
Screenshot_2023-08-29_at_11.11.54_AM Screenshot_2023-08-29_at_11.33.05_AM

How to set up and validate locally

  1. Create a new project
  2. Navigate to Secure => Policies => New policy => Scan execution
  3. Create a policy like:
type: scan_execution_policy
name: Secret Detection Execution
description: ''
enabled: true
rules:
  - type: pipeline
    branch_type: all
actions:
  - scan: secret_detection
    variables:
      SECRET_DETECTION_HISTORIC_SCAN: 'true'
      SECURE_LOG_LEVEL: debug
      SECRET_DETECTION_RULESET_GIT_REFERENCE: >-
        $USER_EXT_RULESET_SEC_POL:$EXT_RULESET_SEC_POL@gitlab.com/roche/playground/gitlab-duo/group-security-policies
scan_result_policy:
  - name: Found Secret Block
    description: ''
    enabled: true
    rules:
      - type: scan_finding
        scanners:
          - secret_detection
        vulnerabilities_allowed: 0
        severity_levels:
          - critical
          - high
        vulnerability_states:
          - new_needs_triage
          - new_dismissed
        branch_type: protected
    actions:
      - type: require_approval
        approvals_required: 1
        user_approvers_ids:
          - 1
  1. Save the policy, merge it.
  2. Add a .gitlab-ci.yml like:
test-job:
  script:
    - echo "Test Job..."
  1. Wait for the pipeline execution
  2. Inspect the secret detection job logs and look for the SECRET_DETECTION_HISTORIC_SCAN value. It should be true as defined in the policy.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Marcos Rocha

Merge request reports

Loading