Extend pipeline with security jobs for selected pipelines only

ee/lib/ee/gitlab/ci/config_ee.rb

@@ -25,7 +25,7 @@ module EE
         end
 
         def process_security_orchestration_policy_includes(config)
-          ::Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor.new(config, context.project, ref).perform
+          ::Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor.new(config, context.project, ref, source).perform
         end
       end
     end

ee/lib/gitlab/ci/config/security_orchestration_policies/processor.rb

@@ -5,16 +5,18 @@ module Gitlab
     class Config
       module SecurityOrchestrationPolicies
         class Processor
-          def initialize(config, project, ref)
+          def initialize(config, project, ref, source)
             @config = config
             @project = project
             @ref = ref
+            @source = source
             @start = Time.current
           end
 
           def perform
             return @config unless project&.feature_available?(:security_orchestration_policies)
             return @config unless security_orchestration_policy_configuration&.enabled?
+            return @config unless extend_configuration?
 
             merged_config = @config.deep_merge(on_demand_scans_template)
             observe_processing_duration(Time.current - @start)
@@ -39,6 +41,12 @@ module Gitlab
               .pipeline_security_orchestration_policy_processing_duration_histogram
               .observe({}, duration.seconds)
           end
+
+          def extend_configuration?
+            return false if @source.nil?
+
+            Enums::Ci::Pipeline.ci_branch_sources.key?(@source.to_sym)
+          end
         end
       end
     end

ee/spec/lib/ee/gitlab/ci/config_spec.rb

@@ -36,6 +36,8 @@ RSpec.describe Gitlab::Ci::Config do
   end
 
   describe 'with security orchestration policy' do
+    let(:source) { 'push' }
+
     let_it_be(:ref) { 'master' }
     let_it_be_with_refind(:project) { create(:project, :repository) }
 
@@ -59,7 +61,7 @@ RSpec.describe Gitlab::Ci::Config do
       EOS
     end
 
-    subject(:config) { described_class.new(ci_yml, ref: ref, project: project) }
+    subject(:config) { described_class.new(ci_yml, ref: ref, project: project, source: source) }
 
     before do
       allow_next_instance_of(Repository) do |repository|
@@ -147,6 +149,14 @@ RSpec.describe Gitlab::Ci::Config do
             it 'extends config with additional jobs' do
               expect(config.to_hash).to include(expected_configuration)
             end
+
+            context 'when source is ondemand_dast_scan' do
+              let(:source) { 'ondemand_dast_scan' }
+
+              it 'does not modify the config' do
+                expect(config.to_hash).to eq(sample_job: { script: ["echo 'test'"] })
+              end
+            end
           end
         end
       end

ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb

@@ -3,11 +3,13 @@
 require 'spec_helper'
 
 RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
-  subject { described_class.new(config, project, ref).perform }
+  subject { described_class.new(config, project, ref, source).perform }
 
   let_it_be(:config) { { image: 'ruby:3.0.1' } }
 
-  let_it_be(:ref) { 'master' }
+  let(:ref) { 'master' }
+  let(:source) { 'pipeline' }
+
   let_it_be_with_refind(:project) { create(:project, :repository) }
 
   let_it_be(:policies_repository) { create(:project, :repository) }
@@ -36,6 +38,14 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
     end
   end
 
+  shared_examples 'with pipeline source applicable for CI' do
+    let_it_be(:source) { 'ondemand_dast_scan' }
+
+    it 'does not modify the config' do
+      expect(subject).to eq(config)
+    end
+  end
+
   context 'when feature is not licensed' do
     it 'does not modify the config' do
       expect(subject).to eq(config)
@@ -80,6 +90,8 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
           end
         end
 
+        it_behaves_like 'with pipeline source applicable for CI'
+
         context 'when DAST profiles are found' do
           let_it_be(:dast_scanner_profile) { create(:dast_scanner_profile, project: project, name: 'Scanner Profile') }
           let_it_be(:dast_site_profile) { create(:dast_site_profile, project: project, name: 'Site Profile') }
@@ -119,6 +131,8 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
           it 'extends config with additional jobs' do
             expect(subject).to include(expected_configuration)
           end
+
+          it_behaves_like 'with pipeline source applicable for CI'
         end
       end
     end

lib/gitlab/ci/config.rb

@@ -17,13 +17,14 @@ module Gitlab
         Config::Yaml::Tags::TagError
       ].freeze
 
-      attr_reader :root, :context, :ref
+      attr_reader :root, :context, :ref, :source
 
-      def initialize(config, project: nil, sha: nil, user: nil, parent_pipeline: nil, ref: nil)
+      def initialize(config, project: nil, sha: nil, user: nil, parent_pipeline: nil, ref: nil, source: nil)
         @context = build_context(project: project, sha: sha, user: user, parent_pipeline: parent_pipeline)
         @context.set_deadline(TIMEOUT_SECONDS)
 
         @ref = ref
+        @source = source
 
         @config = expand_config(config)
 

lib/gitlab/ci/pipeline/chain/config/process.rb

@@ -16,6 +16,7 @@ module Gitlab
                   project: project,
                   ref: @pipeline.ref,
                   sha: @pipeline.sha,
+                  source: @pipeline.source,
                   user: current_user,
                   parent_pipeline: parent_pipeline
                 }