Skip to content

Instantly share code, notes, and snippets.

@devops-school
Created May 28, 2025 01:54
Show Gist options
  • Save devops-school/ab38d768294768a31470491130f54562 to your computer and use it in GitHub Desktop.
Save devops-school/ab38d768294768a31470491130f54562 to your computer and use it in GitHub Desktop.
Gitlab Pipeline - Enforce Compliance in pipeline code
# =============================
# 🎯 Pipeline Execution Policy YAML
# Enforces: SAST, Secret Detection, Custom Job
# =============================
type: pipeline
name: enforce-secure-pipeline
enabled: true
rules:
- type: pipeline
branches:
include:
- "*"
project_filter:
include:
- "*"
actions:
- scan: sast
- scan: secret_detection
- job: run_compliance_check@your-group/secure-ci-templates
# =============================
# βœ… secure-ci-templates/.gitlab-ci.yml (Main Template Project)
# Project: your-group/secure-ci-templates
# =============================
include:
- local: 'templates/compliance-check.yml'
- local: 'templates/deploy-guard.yml'
# =============================
# πŸ“„ templates/compliance-check.yml
# Enforces approval-based check before merge
# =============================
compliance_check:
stage: verify
script:
- |
echo "Checking for required approvals..."
if [ "$CI_MERGE_REQUEST_APPROVED" != "true" ]; then
echo "❌ Merge request not approved."
exit 1
fi
rules:
- if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
# =============================
# πŸ“„ templates/deploy-guard.yml
# Prevent unauthorized deploys to main
# =============================
prevent_direct_main_deploy:
stage: deploy
script:
- |
echo "Checking branch..."
if [[ "$CI_COMMIT_BRANCH" == "main" && "$CI_PIPELINE_SOURCE" != "merge_request_event" ]]; then
echo "❌ Direct deploy to main is not allowed."
exit 1
fi
rules:
- if: '$CI_COMMIT_BRANCH == "main"'
# =============================
# 🧩 Example Project-level .gitlab-ci.yml
# =============================
include:
- project: 'your-group/secure-ci-templates'
file: '/.gitlab-ci.yml'
stages:
- build
- test
- deploy
build:
stage: build
script:
- echo "Running build"
test:
stage: test
script:
- echo "Running tests"
deploy:
stage: deploy
script:
- echo "Manual deploy triggered"
when: manual
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment