Scan Result Policies configured in Security Policy Project assigned to the group are not applied on newly created projects in that group

Summary

Scan Result Policies configured in Security Policy Project assigned to the group are not applied on newly created projects in that group.

Steps to reproduce

  1. Create new group
  2. Create Scan Result Policy in this group (Security & Compliance -> Policies -> Create new policy)
  3. Create new project in this group, configure gitlab-ci.yml file to include security job (like Jobs/Container-Scanning.gitlab-ci.yml with DOCKER_FILE variable as nginx:1.18.0)
  4. Create new MR in the project that modifies the gitlab-ci.yml file (change value of DOCKER_FILE to nginx:1.19.0), see that Approval Rules were not created on this MR.

Example Project

https://gitlab.com/gitlab-org/govern/demos/sandbox/scan-result-policies/cs-scan-test

What is the current bug behavior?

Approval Rules are not created for project newly added to the group.

What is the expected correct behavior?

Approval Rules are created for project newly added or transfered to the group.

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 
(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

  • add to after_create_actions method in Projects::CreateService to trigger Security::ProcessScanResultPolicyWorker,
  • add to post_update_hooks method in Projects::TransferService to trigger Security::ProcessScanResultPolicyWorker,
  • add to post_update_hooks method in Groups::TransferService to trigger Security::SyncScanPoliciesWorker (or extract some code from it it to work only for groups within transferred group),