Send a audit event for pep errors during pipeline creation
What does this MR do and why?
In MR !196628 (merged) we added audit events for failed pipelines where scan_execution or pipeline_execution policies should be enforced.
In this MR we are triggering the same failed pipelines audit event for when a error occurs during a pipeline creation for pipeline execution policies. We are using the error prefix to identify these failed pipelines.
Database query
SELECT
1 AS one
FROM
"ci_pipeline_messages"
WHERE
"ci_pipeline_messages"."pipeline_id" = 1959870800
AND "ci_pipeline_messages"."severity" = 0
AND (content LIKE 'Pipeline execution policy error:%')https://postgres.ai/console/gitlab/gitlab-production-ci/sessions/42006/commands/128848
References
Related to: #539232 (closed)
How to set up and validate locally
- Enable the feature flag
Feature.enable(:collect_security_policy_failed_pipelines_audit_events)- Create a new group
- Create a new project in the group
- Add a CI config file
policy-ci.ymlwith the content
stages: [test, policy-stage, deploy]
policy-job:
stage: policy-stage
script:
- echo "Enforce your policy here"- Add a
.gitlab/security-policies/policy.ymlfile with the content:
---
pipeline_execution_policy:
- name: test
description: ''
enabled: true
pipeline_config_strategy: inject_policy
content:
include:
- project: <your-group>/<your-project>
file: policy-ci.yml- Add a
.gitlab-ci.ymlfile with the content:
stages: [build, deploy, test]
project-build-job:
stage: build
script:
- echo "build"
project-test-job:
stage: test
script:
- echo "test"
project-deploy-job:
stage: deploy
script:
- echo "deploy"- Go back to the group created on step 2
- Go to Secure > Policies
- Click on Edit policy project and select the project created on step 3.
- Create a private webhook receiver.
10.1. Create a script called print_http_body.rb
require 'webrick'
server = WEBrick::HTTPServer.new(:Port => ARGV.first)
server.mount_proc '/' do |req, res|
puts "=== Received Audit Event ==="
puts req.body
puts "=========================="
end
trap 'INT' do
server.shutdown
end
server.start10.2. Start the script
ruby print_http_body.rb 8000- Go to Admin > Monitoring > Audit events
- Click on the Streams tab
- Click on Add streaming destination
- Click on HTTP endpoint
- Set the destination URL to your listener e.g: http://localhost:8000/
- In event filtering select
policy_pipeline_failed - Click on Add
- Go back to the project created on step 3
- Create a MR editing the
README.mdfile - Verify that a pipeline could not be created
- Verify that a audit event for pipeline failure was received in your private listener
{
"id": "70b9b24b-cc73-436c-b014-1468e0a7f4b0",
"author_id": 1,
"entity_id": 104,
"entity_type": "Project",
"details": {
"commit_sha": "b30f855fb639e3d94e63f1d1e8ae232c1935eb96",
"merge_request_title": "Edit README.md",
"merge_request_id": 400,
"merge_request_iid": 5,
"source_branch": "root-main-patch-12048",
"target_branch": "main",
"project_id": 163,
"project_name": "project",
"project_full_path": "test-cyclic-pep-error/project",
"skipped_policies": [
{
"name": "sep",
"policy_type": "scan_execution_policy"
}
],
"event_name": "security_policy_pipeline_failed",
"author_name": "Administrator",
"author_class": "User",
"target_id": 1346,
"target_type": "Ci::Pipeline",
"target_details": "1346",
"custom_message": "Pipeline: 1346 created by security policies or with security policy jobs failed",
"ip_address": "172.16.123.1",
"entity_path": "top-level-group-192672/top-level-group-192672-security-policy-project"
},
"ip_address": "172.16.123.1",
"author_name": "Administrator",
"entity_path": "top-level-group-192672/top-level-group-192672-security-policy-project",
"target_details": "1346",
"created_at": "2025-07-30T23:23:46.156Z",
"target_type": "Ci::Pipeline",
"target_id": 1346,
"event_type": "security_policy_pipeline_failed"
}MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Edited by Marcos Rocha