devops-school · May 28, 2025 01:54
diff --git a/.gitlab-ci.ym b/.gitlab-ci.ym
 # =============================
 # 🎯 Pipeline Execution Policy YAML
 # Enforces: SAST, Secret Detection, Custom Job
 # =============================
 type: pipeline
 name: enforce-secure-pipeline
 enabled: true
 rules:
  - type: pipeline
    branches:
      include:
        - "*"
    project_filter:
      include:
        - "*"
 actions:
  - scan: sast
  - scan: secret_detection
  - job: run_compliance_check@your-group/secure-ci-templates


 # =============================
 # ✅ secure-ci-templates/.gitlab-ci.yml (Main Template Project)
 # Project: your-group/secure-ci-templates
 # =============================
 include:
  - local: 'templates/compliance-check.yml'
  - local: 'templates/deploy-guard.yml'


 # =============================
 # 📄 templates/compliance-check.yml
 # Enforces approval-based check before merge
 # =============================
 compliance_check:
  stage: verify
  script:
    - |
      echo "Checking for required approvals..."
      if [ "$CI_MERGE_REQUEST_APPROVED" != "true" ]; then
        echo "❌ Merge request not approved."
        exit 1
      fi
  rules:
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'


 # =============================
 # 📄 templates/deploy-guard.yml
 # Prevent unauthorized deploys to main
 # =============================
 prevent_direct_main_deploy:
  stage: deploy
  script:
    - |
      echo "Checking branch..."
      if [[ "$CI_COMMIT_BRANCH" == "main" && "$CI_PIPELINE_SOURCE" != "merge_request_event" ]]; then
        echo "❌ Direct deploy to main is not allowed."
        exit 1
      fi
  rules:
    - if: '$CI_COMMIT_BRANCH == "main"'


 # =============================
 # 🧩 Example Project-level .gitlab-ci.yml
 # =============================
 include:
  - project: 'your-group/secure-ci-templates'
    file: '/.gitlab-ci.yml'

 stages:
  - build
  - test
  - deploy

 build:
  stage: build
  script:
    - echo "Running build"

 test:
  stage: test
  script:
    - echo "Running tests"

 deploy:
  stage: deploy
  script:
    - echo "Manual deploy triggered"
  when: manual
	# =============================
	# 🎯 Pipeline Execution Policy YAML
	# Enforces: SAST, Secret Detection, Custom Job
	# =============================
	type: pipeline
	name: enforce-secure-pipeline
	enabled: true
	rules:
	- type: pipeline
	branches:
	include:
	- "*"
	project_filter:
	include:
	- "*"
	actions:
	- scan: sast
	- scan: secret_detection
	- job: run_compliance_check@your-group/secure-ci-templates


	# =============================
	# ✅ secure-ci-templates/.gitlab-ci.yml (Main Template Project)
	# Project: your-group/secure-ci-templates
	# =============================
	include:
	- local: 'templates/compliance-check.yml'
	- local: 'templates/deploy-guard.yml'


	# =============================
	# 📄 templates/compliance-check.yml
	# Enforces approval-based check before merge
	# =============================
	compliance_check:
	stage: verify
	script:
	- \|
	echo "Checking for required approvals..."
	if [ "$CI_MERGE_REQUEST_APPROVED" != "true" ]; then
	echo "❌ Merge request not approved."
	exit 1
	fi
	rules:
	- if: '$CI_PIPELINE_SOURCE == "merge_request_event"'


	# =============================
	# 📄 templates/deploy-guard.yml
	# Prevent unauthorized deploys to main
	# =============================
	prevent_direct_main_deploy:
	stage: deploy
	script:
	- \|
	echo "Checking branch..."
	if [[ "$CI_COMMIT_BRANCH" == "main" && "$CI_PIPELINE_SOURCE" != "merge_request_event" ]]; then
	echo "❌ Direct deploy to main is not allowed."
	exit 1
	fi
	rules:
	- if: '$CI_COMMIT_BRANCH == "main"'


	# =============================
	# 🧩 Example Project-level .gitlab-ci.yml
	# =============================
	include:
	- project: 'your-group/secure-ci-templates'
	file: '/.gitlab-ci.yml'

	stages:
	- build
	- test
	- deploy

	build:
	stage: build
	script:
	- echo "Running build"

	test:
	stage: test
	script:
	- echo "Running tests"

	deploy:
	stage: deploy
	script:
	- echo "Manual deploy triggered"
	when: manual