Skip to content

Fix security policy source to not trigger pipelines for tags

What does this MR do and why?

In #403723 (closed), we updated the scan execution policies to create pipelines even if Auto DevOps is disabled and no .gitlab-ci.yml is present. These changes made invalid pipelines be triggered when a new tag is created under the following conditions:

  • scan_execution_policy enabled
  • Auto DevOps disabled
  • no .gitlab-ci.yml file

However the scan execution policy is not applicable to tags. This MR adds an additional check to not trigger a pipeline when a new tag is created.

Related to #439507 (closed)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Create a new project with a README.md file
  2. Make sure the project does not have a .gitlab-ci.yml and the Auto DevOps is disabled
  3. Update the readme file
  4. Create a new scan execution policy with the content
type: scan_execution_policy
name: se
description: ''
enabled: true
rules:
  - type: pipeline
    branch_type: all
actions:
  - scan: secret_detection
  1. Go Code > Tags
  2. Add a new tag
  3. Verify that no pipeline will be created.
Edited by Marcos Rocha

Merge request reports

Loading