doc/user/application_security/policies/scheduled_pipeline_execution_policies.md
{{< details >}}
{{< /details >}}
{{< history >}}
scheduled_pipeline_execution_policy_type defined in the policy.yml file.{{< /history >}}
Pipeline execution policies enforce custom CI/CD jobs in your projects' pipelines. With scheduled pipeline execution policies, you can extend this enforcement to run the CI/CD job on a regular cadence (daily, weekly, or monthly), ensuring that compliance scripts, security scans, or other custom CI/CD job are executed even when there are no new commits.
Unlike regular pipeline execution policies that inject or override jobs in existing pipelines, scheduled policies create new pipelines that run independently on the schedule you define.
Scheduled pipelines are separate from your project's .gitlab-ci.yml and do not execute any of the project's CI/CD jobs.
Common use cases include:
Before enabling a scheduled pipeline execution policy across all projects, you can run a test to verify that the pipeline works and to understand how the policy impacts your infrastructure. The test run executes real pipelines to provide accurate timing and resource estimates.
[!note] Test runs create real pipelines and consume compute minutes against the target project.
To run a test:
The test run creates a pipeline on the selected project using the policy's CI/CD configuration. You can monitor the test run status in the Test runs tab.
After the test run completes, the Test runs tab displays the result, including the duration and any error messages.
To configure a scheduled pipeline execution policy, add additional configuration fields to the pipeline_execution_schedule_policy section of your security policy project's .gitlab/security-policies/policy.yml file:
pipeline_execution_schedule_policy:
- name: Scheduled Pipeline Execution Policy
description: ''
enabled: true
content:
include:
- project: your-group/your-project
file: security-scan.yml
schedules:
- type: daily
start_time: '10:00'
time_window:
value: 600
distribution: random
The schedules section allows you to configure when security policy jobs run automatically. You can create daily, weekly, or monthly schedules with specific execution times and distribution windows.
The schedules section supports the following options:
| Parameter | Description |
|---|---|
type | Schedule type: daily, weekly, or monthly |
start_time | Time to start the schedule in 24-hour format (HH:MM) |
time_window | Time window in which to distribute the pipeline executions |
time_window.value | Duration in seconds (minimum: 600, maximum: 2629746) |
time_window.distribution | Distribution method (currently, only random is supported) |
timezone | IANA timezone identifier (defaults to UTC if not specified) |
branches | Optional array with names of the branches to schedule pipelines on. If branches is specified, pipelines run only on the specified branches and only if they exist in the project. If not specified, pipelines run only on the default branch. You can provide a maximum of five unique branch names per schedule. |
days | Use with weekly schedules only: Array of days when the schedule runs (for example, ["Monday", "Friday"]) |
days_of_month | Use with monthly schedules only: Array of dates when the schedule runs (for example, [1, 15], can include values from 1 to 31) |
snooze | Optional configuration to temporarily pause the schedule |
snooze.until | ISO8601 date and time when the schedule resumes after the snooze (format: 2025-06-13T20:20:00+00:00) |
snooze.reason | Optional documentation explaining why the schedule is snoozed |
Use daily, weekly, or monthly schedules.
schedules:
- type: daily
start_time: "01:00"
time_window:
value: 3600 # 1 hour window
distribution: random
timezone: "America/New_York"
branches:
- main
- develop
- staging
schedules:
- type: weekly
days:
- Monday
- Wednesday
- Friday
start_time: "04:30"
time_window:
value: 7200 # 2 hour window
distribution: random
timezone: "Europe/Berlin"
schedules:
- type: monthly
days_of_month:
- 1
- 15
start_time: "02:15"
time_window:
value: 14400 # 4 hour window
distribution: random
timezone: "Asia/Tokyo"
To prevent overwhelming your CI/CD infrastructure when applying policies to multiple projects, scheduled pipeline execution policies distribute the creation of the pipelines across a time window with some common rules:
random. Pipelines are randomly distributed during the specified time window.branches, the policy runs on the project default branch only.You can temporarily pause scheduled pipeline execution policies using the snooze feature. Use the snooze feature during maintenance windows, holidays, or when you need to prevent scheduled pipelines from running for a specific time period.
When you snooze a scheduled pipeline execution policy:
To snooze a scheduled pipeline execution policy, add a snooze section to the schedule configuration:
pipeline_execution_schedule_policy:
- name: Weekly Security Scan
description: 'Run security scans every week'
enabled: true
content:
include:
- project: your-group/your-project
file: security-scan.yml
schedules:
- type: weekly
start_time: '02:00'
time_window:
value: 3600
distribution: random
timezone: UTC
days:
- Monday
snooze:
until: "2025-06-26T16:27:00+00:00" # ISO8601 format
reason: "Critical production deployment"
The snooze.until parameter specifies when the snooze period ends using the ISO8601 format: YYYY-MM-DDThh:mm:ss+00:00 where:
YYYY-MM-DD: Year, month, and dayT: Separator between date and timehh:mm:ss: Hours, minutes, and seconds in 24-hour format+00:00: Time zone offset from UTC (or Z for UTC)For example, 2025-06-26T16:27:00+00:00 represents June 26, 2025, at 4:27 PM UTC.
To remove a snooze before its expiration time, remove the snooze section from the policy configuration or set a date in the past for the until value.
By default, scheduled pipeline execution policy jobs cannot access project or group CI/CD variables. This secure default prevents policies from unintentionally exposing sensitive project configuration.
To allow policy jobs to access project and group CI/CD variables, add the variables_override option to your policy configuration:
pipeline_execution_schedule_policy:
- name: Scheduled Security Scan
description: 'Run security scans with access to project variables'
enabled: true
content:
include:
- project: your-group/your-project
file: security-scan.yml
variables_override:
allowed: true
schedules:
- type: daily
start_time: '02:00'
time_window:
value: 3600
distribution: random
variables_override configuration options| Parameter | Description |
|---|---|
allowed | Required. When true, policy jobs can access project and group CI/CD variables. When false, blocks access to these variables. |
exceptions | Optional. An array of variable names that are excepted from the enforcement. When allowed: true, variables in this list are blocked. When allowed: false, variables in this list are allowed. |
dotenv | Optional. Controls whether dotenv artifact variables follow the policy rules. Set to allow_override to let dotenv variables bypass the policy rules. Default behavior respects the policy rules. |
variables_override examplesBlock all project variables except specific ones:
variables_override:
allowed: false
exceptions:
- DEPLOY_TOKEN
- API_KEY
Allow all project variables except sensitive ones:
variables_override:
allowed: true
exceptions:
- SECRET_KEY
- PRIVATE_TOKEN
By default, schedules run on the default branch only. Scheduled pipeline execution policies support branch filtering, which allows you to schedule pipelines for additional branches. Use the branches property to perform regular scans or checks on other important branches in your project.
When you configure the branches property in your schedule:
pipeline_execution_schedule_policy:
- name: Scan Multiple Branches
description: 'Run security scans on main, staging and develop branches'
enabled: true
content:
include:
- project: your-group/your-project
file: security-scan.yml
schedules:
- type: weekly
days:
- Monday
start_time: '02:00'
time_window:
value: 3600
distribution: random
branches:
- main
- staging
- develop
- feature/new-authentication
In this example, if all of the specified branches exist in the project, the policy creates four separate pipelines (one for each branch).
To use scheduled pipeline execution policies, your project must meet the following requirements:
When your policy references CI/CD configuration files, the Security Policy Bot must have access to them. Files in public projects are accessible by default. For files in your security policy project or other private projects, enable access using one of the following options.
If your CI/CD configuration files are stored in the security policy project itself, use this option. This setting applies to any user who triggers a pipeline with pipeline execution policies injected.
If your policy include: value references a CI/CD configuration file stored in a private or internal
project other than the security policy project, use this option.
In the private or internal project that stores CI/CD files, in the left sidebar, select Settings > General.
Expand Visibility, project features, permissions.
In Pipeline execution policies, select Allow access to CI/CD configuration files in this project.
In Allowed file patterns, add one or more glob patterns to specify the files that can be accessed, separated by commas.
Optional. In Allowed group, select a group to allow only users from projects in that group to access CI/CD configuration files.
If not specified, users from any project in the root ancestor group can access the files.
Select Save changes.
The glob patterns for the allowed files must match the paths specified in the include:file: value. For example:
include:file: ci/security-scan.yml, use ci/**/*.yml or ci/security-scan.yml.include:file: policy-ci.yml, use *.yml or policy-ci.yml.ci/**/*.yml, templates/**/*.yml.Scheduled pipelines are executed by the Security Policy Bot User, a dedicated system account that GitLab automatically creates for each project the security policy applies to. To ensure that policy execution remains isolated and secure, the bot user has the following security restrictions:
Because the bot user is not a member of other projects, it cannot complete any of the following actions:
[!important] When you include files from a private or internal project, enable the Pipeline execution policies setting in that project and set matching file patterns. Without these settings, pipeline execution fails with an access error.
Be aware of the following limits when creating scheduled pipeline execution policies:
branches array.When you create or update a scheduled pipeline execution policy, a background worker creates the schedule record asynchronously. If the background worker queue experiences delays (for example, due to high system load), the background worker might create the schedule record after the intended first run time passes. In this case, the first run occurs at the next scheduled occurrence instead of immediately.
For example, if you create a policy at 2:00 PM for a 6:00 PM run, but the background worker doesn't process the policy until 7:00 PM, the first run is scheduled for 6:00 PM the following day (or the next applicable day based on your schedule configuration).
To work around this behavior:
If your scheduled pipelines are not running as expected, follow these troubleshooting steps:
enabled: true).