Skip to content

Add feature toggle for security policy custom CI YAML

Andy Schoenen requested to merge 433236-add-feature-toggle-for-security-policy-custom-ci-yml into master

What does this MR do and why?

This adds a feature toggle for the policy custom CI YAML feature as a group level setting using the cascading settings framework.

We are planning to release the feature as an experiment.

The toggle itself is behind the compliance_pipeline_in_policies feature flag. The plan is to:

  1. Add the feature toggle behind the feature flag. (this MR)
  2. Default enable the feature flag.
  3. The feature will still be disabled by default, but users now may choose to opt-in by enabling the toggle.

I tried to keep the frontend changes in this MR minimal. Before we can enable the feature flag and release the toggle, we need to:

  • Tweak the UI to look like "Experiment" UI chip like proposed here.
  • Control the UI with the feature toggle instead of only the feature flag.

Screenshots or screen recordings

Screenshot_2023-12-01_at_12.26.12

How to set up and validate locally

  1. Enable the feature flag echo "Feature.enable(:compliance_pipeline_in_policies)" | rails c
  2. Create a new group
  3. Go to the group settings page.
  4. Expand the Permissions and group features section
  5. Enable Run customized CI YAML file as security policy actions
  6. Create a new project in the group
  7. Add a simple .gitlab-ci.yml file: 
    job1:
  stage: build
  script:
    - echo "Hello"
  8. Go back to the group and select Secure -> Policies
  9. Select New policy -> Scan execution policy
  10. Switch to .yaml mode and paste the following policy 
    type: scan_execution_policy
name: 'test'
description: ''
enabled: true
policy_scope:
  compliance_frameworks: []
rules:
  - type: pipeline
    branch_type: all
actions:
  - scan: secret_detection
  - scan: custom
    ci_configuration: |-
      job2:
        stage: build
        script:
          - echo "Hello"
  11. Go back to your project and start a pipeline
  12. The pipeline should contain job1 and job2

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #433236 (closed)

Edited by Andy Schoenen

Merge request reports