[go: up one dir, main page]
Skip to content

Add failed pipelines with security policy jobs audit event

Marcos Rocharequested to merge
mc_rocha-add-audit-event-failed-pipelines into master

What does this MR do and why?

This MR adds audit events for failed pipelines where scan_execution or pipeline_execution policies should be enforced.

This MR also updates the PipelineSkippedAuditor to use the base auditor class added in this MR as suggested here.

References

Related to: #539232 (closed)

How to set up and validate locally

  1. Enable the feature flag
Feature.enable(:collect_security_policy_failed_pipelines_audit_events)
  1. Create a new group
  2. Create a new project in the group
  3. Add a CI config file policy-ci.yml with the content
pipeline execution policy job:
  stage: .pipeline-policy-pre
  script:
    - echo "Enforce your policy here"
    - exit 1  # Force the job to fail
  1. Add a .gitlab/security-policies/policy.yml file with the content:
---
pipeline_execution_policy:
- name: test
  description: ''
  enabled: true
  pipeline_config_strategy: override_project_ci
  content:
    include:
    - project: <path-to-your-project>/project
      file: policy-ci.yml
  1. Go back to the group created on step 2
  2. Go to Secure > Policies
  3. Click on Edit policy project and select the project created on step 3.
  4. Create a private webhook receiver.

9.1. Create a script called print_http_body.rb

require 'webrick'

server = WEBrick::HTTPServer.new(:Port => ARGV.first)
server.mount_proc '/' do |req, res|
  puts "=== Received Audit Event ==="
  puts req.body
  puts "=========================="
end

trap 'INT' do
  server.shutdown
end
server.start

9.2. Start the script

ruby print_http_body.rb 8000
  1. Go to Admin > Monitoring > Audit events
  2. Click on the Streams tab
  3. Click on Add streaming destination
  4. Click on HTTP endpoint
  5. Set the destination URL to your listener e.g: http://localhost:8000/
  6. In event filtering select policy_pipeline_failed
  7. Click on Add
  8. Go back to the project created on step 3
  9. Create a MR editing the README.md file
  10. Verify that a pipeline is created and fail
  11. Verify that 2 audit event for pipeline failures were received in your private listener

1

{
  "id": "716c12e9-a8f0-4754-8bfc-23b30cac37fd",
  "author_id": 1,
  "entity_id": 104,
  "entity_type": "Project",
  "details": {
    "commit_sha": "11452e001dda86ab3c9f49bd181adae07c9717eb",
    "merge_request_title": "Edit README.md",
    "merge_request_id": 374,
    "merge_request_iid": 11,
    "source_branch": "root-main-patch-30653",
    "target_branch": "main",
    "project_id": 138,
    "project_name": "project",
    "project_full_path": "test-failed-pipelines-audit-event/project",
    "skipped_policies": [
      {
        "name": "sep",
        "policy_type": "scan_execution_policy"
      }
    ],
    "event_name": "policy_pipeline_failed",
    "author_name": "Administrator",
    "author_class": "User",
    "target_id": 1098,
    "target_type": "Ci::Pipeline",
    "target_details": "1098",
    "custom_message": "Pipeline: 1098 created by security policies or with security policy jobs failed",
    "ip_address": "172.16.123.1",
    "entity_path": "top-level-group-192672/top-level-group-192672-security-policy-project"
  },
  "ip_address": "172.16.123.1",
  "author_name": "Administrator",
  "entity_path": "top-level-group-192672/top-level-group-192672-security-policy-project",
  "target_details": "1098",
  "created_at": "2025-07-09T14:16:12.383Z",
  "target_type": "Ci::Pipeline",
  "target_id": 1098,
  "event_type": "policy_pipeline_failed"
}

2

{
  "id": "d7d8c65d-ac41-4b24-8d32-a0d20839d7a9",
  "author_id": 1,
  "entity_id": 138,
  "entity_type": "Project",
  "details": {
    "commit_sha": "11452e001dda86ab3c9f49bd181adae07c9717eb",
    "merge_request_title": "Edit README.md",
    "merge_request_id": 374,
    "merge_request_iid": 11,
    "source_branch": "root-main-patch-30653",
    "target_branch": "main",
    "project_id": 138,
    "project_name": "project",
    "project_full_path": "test-failed-pipelines-audit-event/project",
    "skipped_policies": [
      {
        "name": "test",
        "policy_type": "pipeline_execution_policy"
      }
    ],
    "event_name": "policy_pipeline_failed",
    "author_name": "Administrator",
    "author_class": "User",
    "target_id": 1098,
    "target_type": "Ci::Pipeline",
    "target_details": "1098",
    "custom_message": "Pipeline: 1098 created by security policies or with security policy jobs failed",
    "ip_address": "172.16.123.1",
    "entity_path": "test-failed-pipelines-audit-event/project"
  },
  "ip_address": "172.16.123.1",
  "author_name": "Administrator",
  "entity_path": "test-failed-pipelines-audit-event/project",
  "target_details": "1098",
  "created_at": "2025-07-09T14:16:12.329Z",
  "target_type": "Ci::Pipeline",
  "target_id": 1098,
  "event_type": "policy_pipeline_failed"
}

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Marcos Rocha

Merge request reports