Pipeline Execution Policy with override_ci strategy overrides and disabled defined Scan Execution Policies
Summary
When both Scan Execution Policies (SEP) and Pipeline Execution Policies (PEP) are configured for a project, and the PEP uses the override_ci strategy, the SEP may be unintentionally overridden. This behavior is counterintuitive and may lead to security scans not being executed as expected.
Steps to Reproduce
- Configure a Scan Execution Policy for a project.
- Configure a Pipeline Execution Policy using the
override_cistrategy for the same project. - Trigger a pipeline for the project.
What is the current bug behavior?
The Pipeline Execution Policy with override_ci strategy removes pipeline.stages, which includes the stages added by Scan Execution Policies. As a result, the security scans defined in the SEP are not executed.
What is the expected correct behavior?
Both Pipeline Execution Policies and Scan Execution Policies should be applied and respected, regardless of the strategy used in PEP. Security scans defined in SEP should be executed alongside the jobs defined in PEP.
Workaround
Until this issue is resolved, users can include the necessary scanner templates in their Pipeline Execution Policy to maintain the desired security scans when using the override_ci strategy.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Workaround Until this issue is resolved, users can include the necessary scanner templates in their Pipeline Execution Policy to maintain the desired security scans when using the override_ci strategy.
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)(we will only investigate if the tests are passing)
Possible fixes
- Modify the
override_cistrategy to preserve stages added by Scan Execution Policies. - Implement a new mechanism to merge SEP and PEP configurations without overriding each other.