doc/user/application_security/policies/scheduled_pipeline_execution_policies.md
{{< details >}}
{{< /details >}}
{{< history >}}
scheduled_pipeline_execution_policy_type defined in the policy.yml file.{{< /history >}}
Pipeline execution policies enforce custom CI/CD jobs in your projects' pipelines. With scheduled pipeline execution policies, you can extend this enforcement to run the CI/CD job on a regular cadence (daily, weekly, or monthly), ensuring that compliance scripts, security scans, or other custom CI/CD job are executed even when there are no new commits.
Unlike regular pipeline execution policies that inject or override jobs in existing pipelines, scheduled policies create new pipelines that run independently on the schedule you define.
Scheduled pipelines are separate from your project's .gitlab-ci.yml and do not execute any of the project's CI/CD jobs.
Common use cases include:
Scheduled pipeline execution policies are available as an experimental feature. To enable this feature in your environment, enable the pipeline_execution_schedule_policy experiment in the security policy configuration. The .gitlab/security-policies/policy.yml YAML configuration file is stored in your Security Policy Project:
experiments:
pipeline_execution_schedule_policy:
enabled: true
[!note] This feature is experimental and may change in future releases. You should test it thoroughly in a non-production environment only. You should not use this feature in production environments as it may be unstable.
To configure a scheduled pipeline execution policy, add additional configuration fields to the pipeline_execution_schedule_policy section of your security policy project's .gitlab/security-policies/policy.yml file:
pipeline_execution_schedule_policy:
- name: Scheduled Pipeline Execution Policy
description: ''
enabled: true
content:
include:
- project: your-group/your-project
file: security-scan.yml
schedules:
- type: daily
start_time: '10:00'
time_window:
value: 600
distribution: random
The schedules section allows you to configure when security policy jobs run automatically. You can create daily, weekly, or monthly schedules with specific execution times and distribution windows.
The schedules section supports the following options:
| Parameter | Description |
|---|---|
type | Schedule type: daily, weekly, or monthly |
start_time | Time to start the schedule in 24-hour format (HH:MM) |
time_window | Time window in which to distribute the pipeline executions |
time_window.value | Duration in seconds (minimum: 600, maximum: 2629746) |
time_window.distribution | Distribution method (currently, only random is supported) |
timezone | IANA timezone identifier (defaults to UTC if not specified) |
branches | Optional array with names of the branches to schedule pipelines on. If branches is specified, pipelines run only on the specified branches and only if they exist in the project. If not specified, pipelines run only on the default branch. You can provide a maximum of five unique branch names per schedule. |
days | Use with weekly schedules only: Array of days when the schedule runs (for example, ["Monday", "Friday"]) |
days_of_month | Use with monthly schedules only: Array of dates when the schedule runs (for example, [1, 15], can include values from 1 to 31) |
snooze | Optional configuration to temporarily pause the schedule |
snooze.until | ISO8601 date and time when the schedule resumes after the snooze (format: 2025-06-13T20:20:00+00:00) |
snooze.reason | Optional documentation explaining why the schedule is snoozed |
Use daily, weekly, or monthly schedules.
schedules:
- type: daily
start_time: "01:00"
time_window:
value: 3600 # 1 hour window
distribution: random
timezone: "America/New_York"
branches:
- main
- develop
- staging
schedules:
- type: weekly
days:
- Monday
- Wednesday
- Friday
start_time: "04:30"
time_window:
value: 7200 # 2 hour window
distribution: random
timezone: "Europe/Berlin"
schedules:
- type: monthly
days_of_month:
- 1
- 15
start_time: "02:15"
time_window:
value: 14400 # 4 hour window
distribution: random
timezone: "Asia/Tokyo"
To prevent overwhelming your CI/CD infrastructure when applying policies to multiple projects, scheduled pipeline execution policies distribute the creation of the pipelines across a time window with some common rules:
random. Pipelines are randomly distributed during the specified time window.You can temporarily pause scheduled pipeline execution policies using the snooze feature. Use the snooze feature during maintenance windows, holidays, or when you need to prevent scheduled pipelines from running for a specific time period.
When you snooze a scheduled pipeline execution policy:
To snooze a scheduled pipeline execution policy, add a snooze section to the schedule configuration:
pipeline_execution_schedule_policy:
- name: Weekly Security Scan
description: 'Run security scans every week'
enabled: true
content:
include:
- project: your-group/your-project
file: security-scan.yml
schedules:
- type: weekly
start_time: '02:00'
time_window:
value: 3600
distribution: random
timezone: UTC
days:
- Monday
snooze:
until: "2025-06-26T16:27:00+00:00" # ISO8601 format
reason: "Critical production deployment"
The snooze.until parameter specifies when the snooze period ends using the ISO8601 format: YYYY-MM-DDThh:mm:ss+00:00 where:
YYYY-MM-DD: Year, month, and dayT: Separator between date and timehh:mm:ss: Hours, minutes, and seconds in 24-hour format+00:00: Time zone offset from UTC (or Z for UTC)For example, 2025-06-26T16:27:00+00:00 represents June 26, 2025, at 4:27 PM UTC.
To remove a snooze before its expiration time, remove the snooze section from the policy configuration or set a date in the past for the until value.
By default, schedules run on the default branch only. Scheduled pipeline execution policies support branch filtering, which allows you to schedule pipelines for additional branches. Use the branches property to perform regular scans or checks on other important branches in your project.
When you configure the branches property in your schedule:
pipeline_execution_schedule_policy:
- name: Scan Multiple Branches
description: 'Run security scans on main, staging and develop branches'
enabled: true
content:
include:
- project: your-group/your-project
file: security-scan.yml
schedules:
- type: weekly
days:
- Monday
start_time: '02:00'
time_window:
value: 3600
distribution: random
branches:
- main
- staging
- develop
- feature/new-authentication
In this example, if all of the specified branches exist in the project, the policy creates four separate pipelines (one for each branch).
To use scheduled pipeline execution policies:
Scheduled pipelines are executed by the Security Policy Bot User, a dedicated system account that GitLab automatically creates for each project the security policy applies to. To ensure that policy execution remains isolated and secure, the bot user has the following security restrictions:
Because the bot user is not a member of other projects, it cannot complete any of the following actions:
[!important] Because of these privilege limitations, you must store all pipeline configuration files (including any files referenced with an
include:statement) directly in your security policy project. Do not reference CI/CD configuration files from other private projects, as this results in access errors during pipeline execution.
This feature is experimental and may change in future releases. Also, be aware of the following limits when creating scheduled pipeline execution policies:
branches array.If your scheduled pipelines are not running as expected, follow these troubleshooting steps:
pipeline_execution_schedule_policy: enabled: true flag is set in the experiments section of your policy.yml file.enabled: true).