Merge branch '434321-fix-scan-execution-policy-does-not-trigger-without-ci-file' into 'master'

Fix scan execution policy without ci file

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/143979



Merged-by: Sashi Kumar Kumaresan <skumar@gitlab.com>
Approved-by: Alan (Maciej) Paruszewski <mparuszewski@gitlab.com>
Approved-by: Sashi Kumar Kumaresan <skumar@gitlab.com>
Approved-by: Pedro Pombeiro <noreply@pedro.pombei.ro>
Co-authored-by: Andy Soiron <asoiron@gitlab.com>

ee/lib/gitlab/ci/config/security_orchestration_policies/processor.rb

@@ -26,6 +26,8 @@ def perform
             return @config if valid_security_orchestration_policy_configurations.blank?
             return @config unless extend_configuration?
 
+            @config[:workflow] = { rules: [{ when: 'always' }] } if @config.empty?
+
             merged_config = @config.deep_merge(merged_security_policy_config)
 
             if custom_scan_actions_enabled? && active_scan_custom_actions.any?

ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb

@@ -186,6 +186,14 @@
     context 'when policy is applicable on branch from the pipeline' do
       let(:ref) { 'refs/heads/master' }
 
+      context 'and the project does not have a CI configuration' do
+        let_it_be(:config) { {} }
+
+        it 'adds a workflow rule' do
+          expect(subject).to include({ workflow: { rules: [when: 'always'] } })
+        end
+      end
+
       context 'when DAST profiles are not found' do
         it 'does not modify the config' do
           expect(subject[:'dast-on-demand-0']).to eq({ allow_failure: true, script: 'echo "Error during On-Demand Scan execution: Dast site profile was not provided" && false' })