Add failed pipelines with security policy jobs audit event
What does this MR do and why?
This MR adds audit events for failed pipelines where scan_execution
or pipeline_execution
policies should be enforced.
This MR also updates the PipelineSkippedAuditor to use the base auditor class added in this MR as suggested here.
References
Related to: #539232 (closed)
How to set up and validate locally
- Enable the feature flag
Feature.enable(:collect_security_policy_failed_pipelines_audit_events)
- Create a new group
- Create a new project in the group
- Add a CI config file
policy-ci.yml
with the content
pipeline execution policy job:
stage: .pipeline-policy-pre
script:
- echo "Enforce your policy here"
- exit 1 # Force the job to fail
- Add a
.gitlab/security-policies/policy.yml
file with the content:
---
pipeline_execution_policy:
- name: test
description: ''
enabled: true
pipeline_config_strategy: override_project_ci
content:
include:
- project: <path-to-your-project>/project
file: policy-ci.yml
- Go back to the group created on step 2
- Go to Secure > Policies
- Click on Edit policy project and select the project created on step 3.
- Create a private webhook receiver.
9.1. Create a script called print_http_body.rb
require 'webrick'
server = WEBrick::HTTPServer.new(:Port => ARGV.first)
server.mount_proc '/' do |req, res|
puts "=== Received Audit Event ==="
puts req.body
puts "=========================="
end
trap 'INT' do
server.shutdown
end
server.start
9.2. Start the script
ruby print_http_body.rb 8000
- Go to Admin > Monitoring > Audit events
- Click on the Streams tab
- Click on Add streaming destination
- Click on HTTP endpoint
- Set the destination URL to your listener e.g: http://localhost:8000/
- In event filtering select
policy_pipeline_failed
- Click on Add
- Go back to the project created on step 3
- Create a MR editing the
README.md
file - Verify that a pipeline is created and fail
- Verify that 2 audit event for pipeline failures were received in your private listener
1
{
"id": "716c12e9-a8f0-4754-8bfc-23b30cac37fd",
"author_id": 1,
"entity_id": 104,
"entity_type": "Project",
"details": {
"commit_sha": "11452e001dda86ab3c9f49bd181adae07c9717eb",
"merge_request_title": "Edit README.md",
"merge_request_id": 374,
"merge_request_iid": 11,
"source_branch": "root-main-patch-30653",
"target_branch": "main",
"project_id": 138,
"project_name": "project",
"project_full_path": "test-failed-pipelines-audit-event/project",
"skipped_policies": [
{
"name": "sep",
"policy_type": "scan_execution_policy"
}
],
"event_name": "policy_pipeline_failed",
"author_name": "Administrator",
"author_class": "User",
"target_id": 1098,
"target_type": "Ci::Pipeline",
"target_details": "1098",
"custom_message": "Pipeline: 1098 created by security policies or with security policy jobs failed",
"ip_address": "172.16.123.1",
"entity_path": "top-level-group-192672/top-level-group-192672-security-policy-project"
},
"ip_address": "172.16.123.1",
"author_name": "Administrator",
"entity_path": "top-level-group-192672/top-level-group-192672-security-policy-project",
"target_details": "1098",
"created_at": "2025-07-09T14:16:12.383Z",
"target_type": "Ci::Pipeline",
"target_id": 1098,
"event_type": "policy_pipeline_failed"
}
2
{
"id": "d7d8c65d-ac41-4b24-8d32-a0d20839d7a9",
"author_id": 1,
"entity_id": 138,
"entity_type": "Project",
"details": {
"commit_sha": "11452e001dda86ab3c9f49bd181adae07c9717eb",
"merge_request_title": "Edit README.md",
"merge_request_id": 374,
"merge_request_iid": 11,
"source_branch": "root-main-patch-30653",
"target_branch": "main",
"project_id": 138,
"project_name": "project",
"project_full_path": "test-failed-pipelines-audit-event/project",
"skipped_policies": [
{
"name": "test",
"policy_type": "pipeline_execution_policy"
}
],
"event_name": "policy_pipeline_failed",
"author_name": "Administrator",
"author_class": "User",
"target_id": 1098,
"target_type": "Ci::Pipeline",
"target_details": "1098",
"custom_message": "Pipeline: 1098 created by security policies or with security policy jobs failed",
"ip_address": "172.16.123.1",
"entity_path": "test-failed-pipelines-audit-event/project"
},
"ip_address": "172.16.123.1",
"author_name": "Administrator",
"entity_path": "test-failed-pipelines-audit-event/project",
"target_details": "1098",
"created_at": "2025-07-09T14:16:12.329Z",
"target_type": "Ci::Pipeline",
"target_id": 1098,
"event_type": "policy_pipeline_failed"
}
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Edited by Marcos Rocha