Generates a GitLab security policy YAML document from structured configuration. This data source performs pure transformation without any API calls.
Upstream API: GitLab Security Policies Documentation
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as gitlab from "@pulumi/gitlab";
// Use this with `gitlab_repository_file` to manage your policies using native HCL
const scan = gitlab.getSecurityPolicyDocument({
scanExecutionPolicies: [{
name: "Basic SAST Policy",
enabled: true,
rules: [{
type: "pipeline",
branchType: "all",
}],
actions: [{
scan: "sast",
}],
}],
});
// See `gitlab_project_security_policy_attachment` or `gitlab_group_security_policy_attachment`
// for how to link a security policy project to a project or group.
const policy = new gitlab.RepositoryFile("policy", {
project: "1234",
ref: "main",
filePath: ".gitlab/security-policies/policy.yml",
content: scan.then(scan => scan.yaml),
});
import pulumi
import pulumi_gitlab as gitlab
# Use this with `gitlab_repository_file` to manage your policies using native HCL
scan = gitlab.get_security_policy_document(scan_execution_policies=[{
"name": "Basic SAST Policy",
"enabled": True,
"rules": [{
"type": "pipeline",
"branch_type": "all",
}],
"actions": [{
"scan": "sast",
}],
}])
# See `gitlab_project_security_policy_attachment` or `gitlab_group_security_policy_attachment`
# for how to link a security policy project to a project or group.
policy = gitlab.RepositoryFile("policy",
project="1234",
ref="main",
file_path=".gitlab/security-policies/policy.yml",
content=scan.yaml)
package main
import (
"github.com/pulumi/pulumi-gitlab/sdk/v9/go/gitlab"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
// Use this with `gitlab_repository_file` to manage your policies using native HCL
scan, err := gitlab.GetSecurityPolicyDocument(ctx, &gitlab.GetSecurityPolicyDocumentArgs{
ScanExecutionPolicies: []gitlab.GetSecurityPolicyDocumentScanExecutionPolicy{
{
Name: "Basic SAST Policy",
Enabled: true,
Rules: []gitlab.GetSecurityPolicyDocumentScanExecutionPolicyRule{
{
Type: "pipeline",
BranchType: pulumi.StringRef("all"),
},
},
Actions: []gitlab.GetSecurityPolicyDocumentScanExecutionPolicyAction{
{
Scan: "sast",
},
},
},
},
}, nil)
if err != nil {
return err
}
// See `gitlab_project_security_policy_attachment` or `gitlab_group_security_policy_attachment`
// for how to link a security policy project to a project or group.
_, err = gitlab.NewRepositoryFile(ctx, "policy", &gitlab.RepositoryFileArgs{
Project: pulumi.String("1234"),
Ref: "main",
FilePath: pulumi.String(".gitlab/security-policies/policy.yml"),
Content: pulumi.String(scan.Yaml),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using GitLab = Pulumi.GitLab;
return await Deployment.RunAsync(() =>
{
// Use this with `gitlab_repository_file` to manage your policies using native HCL
var scan = GitLab.GetSecurityPolicyDocument.Invoke(new()
{
ScanExecutionPolicies = new[]
{
new GitLab.Inputs.GetSecurityPolicyDocumentScanExecutionPolicyInputArgs
{
Name = "Basic SAST Policy",
Enabled = true,
Rules = new[]
{
new GitLab.Inputs.GetSecurityPolicyDocumentScanExecutionPolicyRuleInputArgs
{
Type = "pipeline",
BranchType = "all",
},
},
Actions = new[]
{
new GitLab.Inputs.GetSecurityPolicyDocumentScanExecutionPolicyActionInputArgs
{
Scan = "sast",
},
},
},
},
});
// See `gitlab_project_security_policy_attachment` or `gitlab_group_security_policy_attachment`
// for how to link a security policy project to a project or group.
var policy = new GitLab.RepositoryFile("policy", new()
{
Project = "1234",
Ref = "main",
FilePath = ".gitlab/security-policies/policy.yml",
Content = scan.Apply(getSecurityPolicyDocumentResult => getSecurityPolicyDocumentResult.Yaml),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gitlab.GitlabFunctions;
import com.pulumi.gitlab.inputs.GetSecurityPolicyDocumentArgs;
import com.pulumi.gitlab.RepositoryFile;
import com.pulumi.gitlab.RepositoryFileArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
// Use this with `gitlab_repository_file` to manage your policies using native HCL
final var scan = GitlabFunctions.getSecurityPolicyDocument(GetSecurityPolicyDocumentArgs.builder()
.scanExecutionPolicies(GetSecurityPolicyDocumentScanExecutionPolicyArgs.builder()
.name("Basic SAST Policy")
.enabled(true)
.rules(GetSecurityPolicyDocumentScanExecutionPolicyRuleArgs.builder()
.type("pipeline")
.branchType("all")
.build())
.actions(GetSecurityPolicyDocumentScanExecutionPolicyActionArgs.builder()
.scan("sast")
.build())
.build())
.build());
// See `gitlab_project_security_policy_attachment` or `gitlab_group_security_policy_attachment`
// for how to link a security policy project to a project or group.
var policy = new RepositoryFile("policy", RepositoryFileArgs.builder()
.project("1234")
.ref("main")
.filePath(".gitlab/security-policies/policy.yml")
.content(scan.yaml())
.build());
}
}
resources:
# See `gitlab_project_security_policy_attachment` or `gitlab_group_security_policy_attachment`
# for how to link a security policy project to a project or group.
policy:
type: gitlab:RepositoryFile
properties:
project: 1234
ref: main
filePath: .gitlab/security-policies/policy.yml
content: ${scan.yaml}
variables:
# Use this with `gitlab_repository_file` to manage your policies using native HCL
scan:
fn::invoke:
function: gitlab:getSecurityPolicyDocument
arguments:
scanExecutionPolicies:
- name: Basic SAST Policy
enabled: true
rules:
- type: pipeline
branchType: all
actions:
- scan: sast
Using getSecurityPolicyDocument
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getSecurityPolicyDocument(args: GetSecurityPolicyDocumentArgs, opts?: InvokeOptions): Promise<GetSecurityPolicyDocumentResult>
function getSecurityPolicyDocumentOutput(args: GetSecurityPolicyDocumentOutputArgs, opts?: InvokeOptions): Output<GetSecurityPolicyDocumentResult>def get_security_policy_document(scan_execution_policies: Optional[Sequence[GetSecurityPolicyDocumentScanExecutionPolicy]] = None,
opts: Optional[InvokeOptions] = None) -> GetSecurityPolicyDocumentResult
def get_security_policy_document_output(scan_execution_policies: Optional[pulumi.Input[Sequence[pulumi.Input[GetSecurityPolicyDocumentScanExecutionPolicyArgs]]]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetSecurityPolicyDocumentResult]func GetSecurityPolicyDocument(ctx *Context, args *GetSecurityPolicyDocumentArgs, opts ...InvokeOption) (*GetSecurityPolicyDocumentResult, error)
func GetSecurityPolicyDocumentOutput(ctx *Context, args *GetSecurityPolicyDocumentOutputArgs, opts ...InvokeOption) GetSecurityPolicyDocumentResultOutput> Note: This function is named GetSecurityPolicyDocument in the Go SDK.
public static class GetSecurityPolicyDocument
{
public static Task<GetSecurityPolicyDocumentResult> InvokeAsync(GetSecurityPolicyDocumentArgs args, InvokeOptions? opts = null)
public static Output<GetSecurityPolicyDocumentResult> Invoke(GetSecurityPolicyDocumentInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetSecurityPolicyDocumentResult> getSecurityPolicyDocument(GetSecurityPolicyDocumentArgs args, InvokeOptions options)
public static Output<GetSecurityPolicyDocumentResult> getSecurityPolicyDocument(GetSecurityPolicyDocumentArgs args, InvokeOptions options)
fn::invoke:
function: gitlab:index/getSecurityPolicyDocument:getSecurityPolicyDocument
arguments:
# arguments dictionaryThe following arguments are supported:
- Scan
Execution List<Pulumi.Policies Git Lab. Inputs. Get Security Policy Document Scan Execution Policy> - Scan execution policy configuration. Multiple policies can be specified.
- Scan
Execution []GetPolicies Security Policy Document Scan Execution Policy - Scan execution policy configuration. Multiple policies can be specified.
- scan
Execution List<GetPolicies Security Policy Document Scan Execution Policy> - Scan execution policy configuration. Multiple policies can be specified.
- scan
Execution GetPolicies Security Policy Document Scan Execution Policy[] - Scan execution policy configuration. Multiple policies can be specified.
- scan_
execution_ Sequence[Getpolicies Security Policy Document Scan Execution Policy] - Scan execution policy configuration. Multiple policies can be specified.
- scan
Execution List<Property Map>Policies - Scan execution policy configuration. Multiple policies can be specified.
getSecurityPolicyDocument Result
The following output properties are available:
- Id string
- Unique identifier for this policy document (hash of generated YAML).
- Yaml string
- The generated policy document in YAML format, ready to write to
.gitlab/security-policies/policy.yml. - Scan
Execution List<Pulumi.Policies Git Lab. Outputs. Get Security Policy Document Scan Execution Policy> - Scan execution policy configuration. Multiple policies can be specified.
- Id string
- Unique identifier for this policy document (hash of generated YAML).
- Yaml string
- The generated policy document in YAML format, ready to write to
.gitlab/security-policies/policy.yml. - Scan
Execution []GetPolicies Security Policy Document Scan Execution Policy - Scan execution policy configuration. Multiple policies can be specified.
- id String
- Unique identifier for this policy document (hash of generated YAML).
- yaml String
- The generated policy document in YAML format, ready to write to
.gitlab/security-policies/policy.yml. - scan
Execution List<GetPolicies Security Policy Document Scan Execution Policy> - Scan execution policy configuration. Multiple policies can be specified.
- id string
- Unique identifier for this policy document (hash of generated YAML).
- yaml string
- The generated policy document in YAML format, ready to write to
.gitlab/security-policies/policy.yml. - scan
Execution GetPolicies Security Policy Document Scan Execution Policy[] - Scan execution policy configuration. Multiple policies can be specified.
- id str
- Unique identifier for this policy document (hash of generated YAML).
- yaml str
- The generated policy document in YAML format, ready to write to
.gitlab/security-policies/policy.yml. - scan_
execution_ Sequence[Getpolicies Security Policy Document Scan Execution Policy] - Scan execution policy configuration. Multiple policies can be specified.
- id String
- Unique identifier for this policy document (hash of generated YAML).
- yaml String
- The generated policy document in YAML format, ready to write to
.gitlab/security-policies/policy.yml. - scan
Execution List<Property Map>Policies - Scan execution policy configuration. Multiple policies can be specified.
Supporting Types
GetSecurityPolicyDocumentScanExecutionPolicy
- Actions
List<Pulumi.
Git Lab. Inputs. Get Security Policy Document Scan Execution Policy Action> - Actions to execute when rules match. At least one action is required.
- Enabled bool
- Whether the policy is enabled.
- Name string
- Name of the scan execution policy.
- Rules
List<Pulumi.
Git Lab. Inputs. Get Security Policy Document Scan Execution Policy Rule> - Rules that trigger the policy. At least one rule is required.
- Description string
- Description of the scan execution policy.
- Policy
Scope Pulumi.Git Lab. Inputs. Get Security Policy Document Scan Execution Policy Policy Scope - Scope configuration to limit which projects the policy applies to.
- Skip
Ci Pulumi.Git Lab. Inputs. Get Security Policy Document Scan Execution Policy Skip Ci - Control whether users can use the skip-ci directive.
- Actions
[]Get
Security Policy Document Scan Execution Policy Action - Actions to execute when rules match. At least one action is required.
- Enabled bool
- Whether the policy is enabled.
- Name string
- Name of the scan execution policy.
- Rules
[]Get
Security Policy Document Scan Execution Policy Rule - Rules that trigger the policy. At least one rule is required.
- Description string
- Description of the scan execution policy.
- Policy
Scope GetSecurity Policy Document Scan Execution Policy Policy Scope - Scope configuration to limit which projects the policy applies to.
- Skip
Ci GetSecurity Policy Document Scan Execution Policy Skip Ci - Control whether users can use the skip-ci directive.
- actions
List<Get
Security Policy Document Scan Execution Policy Action> - Actions to execute when rules match. At least one action is required.
- enabled Boolean
- Whether the policy is enabled.
- name String
- Name of the scan execution policy.
- rules
List<Get
Security Policy Document Scan Execution Policy Rule> - Rules that trigger the policy. At least one rule is required.
- description String
- Description of the scan execution policy.
- policy
Scope GetSecurity Policy Document Scan Execution Policy Policy Scope - Scope configuration to limit which projects the policy applies to.
- skip
Ci GetSecurity Policy Document Scan Execution Policy Skip Ci - Control whether users can use the skip-ci directive.
- actions
Get
Security Policy Document Scan Execution Policy Action[] - Actions to execute when rules match. At least one action is required.
- enabled boolean
- Whether the policy is enabled.
- name string
- Name of the scan execution policy.
- rules
Get
Security Policy Document Scan Execution Policy Rule[] - Rules that trigger the policy. At least one rule is required.
- description string
- Description of the scan execution policy.
- policy
Scope GetSecurity Policy Document Scan Execution Policy Policy Scope - Scope configuration to limit which projects the policy applies to.
- skip
Ci GetSecurity Policy Document Scan Execution Policy Skip Ci - Control whether users can use the skip-ci directive.
- actions
Sequence[Get
Security Policy Document Scan Execution Policy Action] - Actions to execute when rules match. At least one action is required.
- enabled bool
- Whether the policy is enabled.
- name str
- Name of the scan execution policy.
- rules
Sequence[Get
Security Policy Document Scan Execution Policy Rule] - Rules that trigger the policy. At least one rule is required.
- description str
- Description of the scan execution policy.
- policy_
scope GetSecurity Policy Document Scan Execution Policy Policy Scope - Scope configuration to limit which projects the policy applies to.
- skip_
ci GetSecurity Policy Document Scan Execution Policy Skip Ci - Control whether users can use the skip-ci directive.
- actions List<Property Map>
- Actions to execute when rules match. At least one action is required.
- enabled Boolean
- Whether the policy is enabled.
- name String
- Name of the scan execution policy.
- rules List<Property Map>
- Rules that trigger the policy. At least one rule is required.
- description String
- Description of the scan execution policy.
- policy
Scope Property Map - Scope configuration to limit which projects the policy applies to.
- skip
Ci Property Map - Control whether users can use the skip-ci directive.
GetSecurityPolicyDocumentScanExecutionPolicyAction
- Scan string
- Type of scan to run. Valid values:
sast,secret_detection,container_scanning,dependency_scanning,dast,sast_iac,cluster_image_scanning,api_fuzzing,coverage_fuzzing. - Scanner
Profile string - Scanner profile to use for DAST scans.
- Site
Profile string - Site profile to use for DAST scans.
- List<string>
- Tags to exclude from the scan.
- Template string
- The template to use for the scan. Valid values:
default,latest. - Variables Dictionary<string, string>
- Environment variables to pass to the scan job.
- Scan string
- Type of scan to run. Valid values:
sast,secret_detection,container_scanning,dependency_scanning,dast,sast_iac,cluster_image_scanning,api_fuzzing,coverage_fuzzing. - Scanner
Profile string - Scanner profile to use for DAST scans.
- Site
Profile string - Site profile to use for DAST scans.
- []string
- Tags to exclude from the scan.
- Template string
- The template to use for the scan. Valid values:
default,latest. - Variables map[string]string
- Environment variables to pass to the scan job.
- scan String
- Type of scan to run. Valid values:
sast,secret_detection,container_scanning,dependency_scanning,dast,sast_iac,cluster_image_scanning,api_fuzzing,coverage_fuzzing. - scanner
Profile String - Scanner profile to use for DAST scans.
- site
Profile String - Site profile to use for DAST scans.
- List<String>
- Tags to exclude from the scan.
- template String
- The template to use for the scan. Valid values:
default,latest. - variables Map<String,String>
- Environment variables to pass to the scan job.
- scan string
- Type of scan to run. Valid values:
sast,secret_detection,container_scanning,dependency_scanning,dast,sast_iac,cluster_image_scanning,api_fuzzing,coverage_fuzzing. - scanner
Profile string - Scanner profile to use for DAST scans.
- site
Profile string - Site profile to use for DAST scans.
- string[]
- Tags to exclude from the scan.
- template string
- The template to use for the scan. Valid values:
default,latest. - variables {[key: string]: string}
- Environment variables to pass to the scan job.
- scan str
- Type of scan to run. Valid values:
sast,secret_detection,container_scanning,dependency_scanning,dast,sast_iac,cluster_image_scanning,api_fuzzing,coverage_fuzzing. - scanner_
profile str - Scanner profile to use for DAST scans.
- site_
profile str - Site profile to use for DAST scans.
- Sequence[str]
- Tags to exclude from the scan.
- template str
- The template to use for the scan. Valid values:
default,latest. - variables Mapping[str, str]
- Environment variables to pass to the scan job.
- scan String
- Type of scan to run. Valid values:
sast,secret_detection,container_scanning,dependency_scanning,dast,sast_iac,cluster_image_scanning,api_fuzzing,coverage_fuzzing. - scanner
Profile String - Scanner profile to use for DAST scans.
- site
Profile String - Site profile to use for DAST scans.
- List<String>
- Tags to exclude from the scan.
- template String
- The template to use for the scan. Valid values:
default,latest. - variables Map<String>
- Environment variables to pass to the scan job.
GetSecurityPolicyDocumentScanExecutionPolicyPolicyScope
- Compliance
Frameworks List<string> - Compliance framework names to scope the policy to.
- Projects
Pulumi.
Git Lab. Inputs. Get Security Policy Document Scan Execution Policy Policy Scope Projects - Project scope configuration.
- Compliance
Frameworks []string - Compliance framework names to scope the policy to.
- Projects
Get
Security Policy Document Scan Execution Policy Policy Scope Projects - Project scope configuration.
- compliance
Frameworks List<String> - Compliance framework names to scope the policy to.
- projects
Get
Security Policy Document Scan Execution Policy Policy Scope Projects - Project scope configuration.
- compliance
Frameworks string[] - Compliance framework names to scope the policy to.
- projects
Get
Security Policy Document Scan Execution Policy Policy Scope Projects - Project scope configuration.
- compliance_
frameworks Sequence[str] - Compliance framework names to scope the policy to.
- projects
Get
Security Policy Document Scan Execution Policy Policy Scope Projects - Project scope configuration.
- compliance
Frameworks List<String> - Compliance framework names to scope the policy to.
- projects Property Map
- Project scope configuration.
GetSecurityPolicyDocumentScanExecutionPolicyPolicyScopeProjects
- Excludings List<int>
- List of project IDs to exclude from this policy.
- Includings List<int>
- List of project IDs to explicitly include in this policy.
- Excludings []int
- List of project IDs to exclude from this policy.
- Includings []int
- List of project IDs to explicitly include in this policy.
- excludings List<Integer>
- List of project IDs to exclude from this policy.
- includings List<Integer>
- List of project IDs to explicitly include in this policy.
- excludings number[]
- List of project IDs to exclude from this policy.
- includings number[]
- List of project IDs to explicitly include in this policy.
- excludings Sequence[int]
- List of project IDs to exclude from this policy.
- includings Sequence[int]
- List of project IDs to explicitly include in this policy.
- excludings List<Number>
- List of project IDs to exclude from this policy.
- includings List<Number>
- List of project IDs to explicitly include in this policy.
GetSecurityPolicyDocumentScanExecutionPolicyRule
- Type string
- Type of rule. Valid values:
pipeline,schedule,agent. - Agents Dictionary<string, string>
- Kubernetes agents configuration for agent-based policies.
- Branch
Exceptions List<string> - Branches to exclude from the policy.
- Branch
Type string - Type of branches to match. Valid values:
all,protected,default. - Branches List<string>
- Branch names or patterns to match.
- Cadence string
- Cron expression for schedule type rules (e.g.,
*/15 * * * *for every 15 minutes).
- Type string
- Type of rule. Valid values:
pipeline,schedule,agent. - Agents map[string]string
- Kubernetes agents configuration for agent-based policies.
- Branch
Exceptions []string - Branches to exclude from the policy.
- Branch
Type string - Type of branches to match. Valid values:
all,protected,default. - Branches []string
- Branch names or patterns to match.
- Cadence string
- Cron expression for schedule type rules (e.g.,
*/15 * * * *for every 15 minutes).
- type String
- Type of rule. Valid values:
pipeline,schedule,agent. - agents Map<String,String>
- Kubernetes agents configuration for agent-based policies.
- branch
Exceptions List<String> - Branches to exclude from the policy.
- branch
Type String - Type of branches to match. Valid values:
all,protected,default. - branches List<String>
- Branch names or patterns to match.
- cadence String
- Cron expression for schedule type rules (e.g.,
*/15 * * * *for every 15 minutes).
- type string
- Type of rule. Valid values:
pipeline,schedule,agent. - agents {[key: string]: string}
- Kubernetes agents configuration for agent-based policies.
- branch
Exceptions string[] - Branches to exclude from the policy.
- branch
Type string - Type of branches to match. Valid values:
all,protected,default. - branches string[]
- Branch names or patterns to match.
- cadence string
- Cron expression for schedule type rules (e.g.,
*/15 * * * *for every 15 minutes).
- type str
- Type of rule. Valid values:
pipeline,schedule,agent. - agents Mapping[str, str]
- Kubernetes agents configuration for agent-based policies.
- branch_
exceptions Sequence[str] - Branches to exclude from the policy.
- branch_
type str - Type of branches to match. Valid values:
all,protected,default. - branches Sequence[str]
- Branch names or patterns to match.
- cadence str
- Cron expression for schedule type rules (e.g.,
*/15 * * * *for every 15 minutes).
- type String
- Type of rule. Valid values:
pipeline,schedule,agent. - agents Map<String>
- Kubernetes agents configuration for agent-based policies.
- branch
Exceptions List<String> - Branches to exclude from the policy.
- branch
Type String - Type of branches to match. Valid values:
all,protected,default. - branches List<String>
- Branch names or patterns to match.
- cadence String
- Cron expression for schedule type rules (e.g.,
*/15 * * * *for every 15 minutes).
GetSecurityPolicyDocumentScanExecutionPolicySkipCi
- Allowed bool
- Allow (true) or prevent (false) the use of skip-ci directive.
- Allowed bool
- Allow (true) or prevent (false) the use of skip-ci directive.
- allowed Boolean
- Allow (true) or prevent (false) the use of skip-ci directive.
- allowed boolean
- Allow (true) or prevent (false) the use of skip-ci directive.
- allowed bool
- Allow (true) or prevent (false) the use of skip-ci directive.
- allowed Boolean
- Allow (true) or prevent (false) the use of skip-ci directive.
Package Details
- Repository
- GitLab pulumi/pulumi-gitlab
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
gitlabTerraform Provider.
