Skip to content

Fix policy variables in scheduled pipelines

Martin Čavoj requested to merge mc/fix-variables-for-scheduled-pipelines into master

What does this MR do and why?

This MR fixes policy variables in scheduled pipelines. The bug was introduced when we enabled security_policies_variables_precedence by default !139828 (merged), because active_policies_scan_actions_for_project used in variables builder was filtering only for pipeline rules.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Before After
CleanShot_2024-02-28_at_14.59.42_2x CleanShot_2024-02-28_at_14.54.17_2x

How to set up and validate locally

  1. Create a project
  2. Create .gitlab-ci.yml:
    build_job:
      script:
        echo 'build'
  3. Under Settings -> CI/CD, create a new variable CI_REGISTRY_IMAGE with value citizenstig/dvwa
  4. Under Secure -> Policies, create a new policy:
    type: scan_execution_policy
    name: Container scanning with variables
    description: ''
    enabled: true
    actions:
      - scan: container_scanning
        variables:
          CS_IMAGE: '$CI_REGISTRY_IMAGE:${CI_COMMIT_REF_SLUG}-${CI_COMMIT_SHORT_SHA}'
          SECURE_LOG_LEVEL: debug
          CI_DEBUG_TRACE: 'true'
    rules:
      - type: schedule
        cadence: '*/15 * * * *'
        branch_type: default
  5. Open rails console and trigger the scheduled build manually:
    Security::OrchestrationPolicyRuleSchedule.last.update_columns next_run_at: 1.minute.ago
    Security::OrchestrationPolicyRuleScheduleWorker.new.perform
  6. Go to the new pipeline and verify that variables were set (CI_DEBUG_TRACE should print out all variables)
  7. Trigger a pipeline on main and verify that only build_job is present

Merge request reports

Loading