Skip to content

Allow stage definitions in custom yaml

What does this MR do and why?

This enables stages to be defined in a security policy using custom yaml:

  • It merges stages defined in security policy yaml with stages defined in project .gitlab-ci.yaml or default stages.
  • It injects .pre and .post stages at the beginning and end of the stages.

Screenshots or screen recordings

📺 Demo: youtu.be/C8SIubEstu8

How to set up and validate locally

  1. Upload a GitLab Ultimate license.
  2. Enable the feature flag:
    echo "Feature.enable(:compliance_pipeline_in_policies)" | rails c
  3. Create a new project with a simple .gitlab-ci.yml file:
    project job:
      stage: build
      script:
        - echo "job defined in project CI"
  4. Go to Secure -> Policies -> New policy -> Scan Execution Policy.
  5. Go to yaml mode and paste a policy that defines custom stages:
    type: scan_execution_policy
    name: 'custom stages'
    description: ''
    enabled: true
    rules:
      - type: pipeline
        branches:
          - '*'
    actions:
    - scan: custom
      ci_configuration: |-
        stages:
          - custom_stage
        security policy job:
          stage: custom_stage
          script:
            - echo "This is a security policy"
  6. Go back to the project -> Build -> Pipelines.
  7. Select Run Pipeline.
  8. Select Run Pipeline again.
  9. The pipeline should have two stages build and custom_stage.

Other things to verify

Merge stages with project CI
  1. Change .gitlab-ci.yml to include a custom stage:
    stages:
      - custom_project_stage
    project job:
      stage: custom_project_stage
      script:
        - echo "job defined in project CI"
  2. Commit the changes
  3. The latest pipeline should have custom_stage and custom_project_stage
Edge stages
  1. Change .gitlab-ci.yml to include jobs for edge stages:
    pre job:
      stage: .pre
      script:
        - echo "job defined in project CI"
    post job:
      stage: .post
      script:
        - echo "job defined in project CI"
  2. Commit the changes.
  3. The latest pipeline should have the following stages in the same order: .pre custom_stage .post
Rule schedules
  1. Go back to Secure -> Policies
  2. Select custom stages -> Edit policy
  3. Change the policy to run on a schedule:
    type: scan_execution_policy
    name: custom stages
    description: ''
    enabled: true
    rules:
      - type: schedule
        cadence: 0 0 * * *
        branch_type: all
    actions:
      - scan: custom
        ci_configuration: |-
          stages:
            - custom_stage
          security policy job:
            stage: custom_stage
            script:
              - echo "This is a security policy"
  4. Trigger the schedule worker
    echo "Security::OrchestrationPolicyRuleSchedule.update_all(next_run_at: Time.now - 1.day)\nSecurity::OrchestrationPolicyRuleScheduleWorker.new.perform" | rails c
  5. Go back to the project -> Build -> Pipelines.
  6. Select the latest pipeline. (It might take a few seconds until the rule schedule pipeline appears)
  7. There should only be one job on the custom_stage stage.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #425012 (closed)

Edited by Andy Schoenen

Merge request reports

Loading