Set policies CI variables with the highest precedence
What does this MR do and why?
This MR changes CI variables precedence for variables defined by security policies and makes them enforced with the highest precedence for scan execution policy jobs, so that they cannot be overwritten. Previously, the policies variables were set as part of each job, so variables on the instance, group, project level or manual pipeline run variables could overwrite them.
This change is done behind feature flag.
Screenshots or screen recordings
Job | Variable value |
---|---|
build-job | |
dast | |
sast_iac | |
dependency-scanning | |
container-scanning | |
secrets-detection | |
sast |
How to set up and validate locally
- In rails console enable the feature flag
Feature.enable(:security_policies_variables_precedence)
- Go to Secure -> Policies and create a new Scan Execution Policy. Switch to
.yaml mode
and using the following YAML, define all various scans, each with a different value of the same CI variable:type: scan_execution_policy name: All scans description: '' enabled: true rules: - type: pipeline branches: - '*' actions: - scan: dast site_profile: '' scanner_profile: '' variables: TEST_TOKEN: my-dast-policy-token - scan: sast_iac variables: TEST_TOKEN: my-sast-iac-policy-token - scan: dependency_scanning variables: TEST_TOKEN: my-dependency-scanning-policy-token - scan: container_scanning variables: TEST_TOKEN: my-container-scanning-policy-token - scan: secret_detection variables: TEST_TOKEN: my-secrets-policy-token - scan: sast variables: TEST_TOKEN: my-sast-policy-token
- Add a
.gitlab-ci.yml
file:variables: TEST_TOKEN: "my-global-token" CI_DEBUG_TRACE: "true" build-job: script: - echo "Compiling the code..." - echo "Compile complete." variables: TEST_TOKEN: "my-build-job-token"
- Define
TEST_TOKEN
CI variable on various levels: - Admin -> Settings -> CI/CD -> Variables with value
my-instance-token
- Group -> Settings -> CI/CD -> Variables with value
my-group-token
- Project -> Settings -> CI/CD -> Variables with value
my-project-token
- Go to Pipelines -> Run pipeline. Add
TEST_TOKEN
variable with valuemy-manual-pipeline-run-token
- Go to the created pipeline and observe the output of each job. Each job should have
TEST_TOKEN
exported and the last exported value should match the value defined in the policy.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #424028 (closed)
Edited by Martin Čavoj