Fix policy variables in scheduled pipelines
What does this MR do and why?
This MR fixes policy variables in scheduled pipelines. The bug was introduced when we enabled security_policies_variables_precedence
by default !139828 (merged), because active_policies_scan_actions_for_project
used in variables builder was filtering only for pipeline
rules.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Before | After |
---|---|
How to set up and validate locally
- Create a project
- Create
.gitlab-ci.yml
:build_job: script: echo 'build'
- Under Settings -> CI/CD, create a new variable
CI_REGISTRY_IMAGE
with valuecitizenstig/dvwa
- Under Secure -> Policies, create a new policy:
type: scan_execution_policy name: Container scanning with variables description: '' enabled: true actions: - scan: container_scanning variables: CS_IMAGE: '$CI_REGISTRY_IMAGE:${CI_COMMIT_REF_SLUG}-${CI_COMMIT_SHORT_SHA}' SECURE_LOG_LEVEL: debug CI_DEBUG_TRACE: 'true' rules: - type: schedule cadence: '*/15 * * * *' branch_type: default
- Open rails console and trigger the scheduled build manually:
Security::OrchestrationPolicyRuleSchedule.last.update_columns next_run_at: 1.minute.ago Security::OrchestrationPolicyRuleScheduleWorker.new.perform
- Go to the new pipeline and verify that variables were set (
CI_DEBUG_TRACE
should print out all variables) - Trigger a pipeline on
main
and verify that onlybuild_job
is present