Operational Container scanning doesn't run when enabled via group-level scan execution policy

Summary

When operational container scanning is enabled via a group-level scan execution policy, the scan never starts. However when scan execution policy is not inherited from the group, and defined in the project configuration, then it runs.

Steps to reproduce

1. Create a project and install a GitLab agent for Kubernetes. Make sure agent is connected.
2. Open the group that the project belongs to. Go to Security and Compliance > Policies and click the New Policy button.
3. Enter policy as yaml or use the policy editor. The policy.yml I have is below. Once you are done configure with new merge request and merge to master branch.

name: container scanning from group level
description: ''
enabled: true
actions:
- scan: container_scanning
rules:
- type: schedule
cadence: 41 19 * * *
agents:
  dalecooper:
    namespaces:
    - gl-dev

4. In your project created in Step 1, check if the group-level policy shows in Security and Compliance > Policies as inherited.
5. Wait until the time configured in cadence. However, the scan never runs. Nothing in agent logs
6. Go to Infrastructure > Kubernetes clusters. Click on the agent name and then click the Security tab. There are no results.
7. In the project, go to Security and Compliance > Policies. Click on New Policy
8. Enter policy as yaml or use the policy editor. Make sure to use a different cadence to distinguish it from the group-level policy. Once you are done configure with new merge request and merge to master branch. My project-level policy yml is:

name: Container scanning for my agent
description: ''
enabled: true
actions:
- scan: container_scanning
rules:
- type: schedule
cadence: 27 20 * * *
agents:
  dalecooper:
    namespaces:
    - gitlab-supermunn

9. Wait until the time configured in cadence. You will see the cluster vulnerabilities on the Agent's Security tab.

Example Project

https://gitlab.com/gitlab-gold/emunn-test/kas/agentmgr/-/security/policies

What is the current bug behavior?

Operational scanning does not work for policies defined in the group level.

What is the expected correct behavior?

Group-level (inherited) policy should run and results should be available in the Agent's page in the Security tab.

Output of checks

This bug happens on GitLab.com

Possible fixes

As a workaround, create scan execution policy on the project level.

Implementation Plan

• backend Update Security::SecurityOrchestrationPolicies::OperationalVulnerabilitiesConfigurationService to pass relationship: :inherited paramter.

diff --git a/ee/app/services/security/security_orchestration_policies/operational_vulnerabilities_configuration_service.rb b/ee/app/services/security/security_orchestration_policies/operational_vulnerabilities_configuration_service.rb
index a3bcb7396a5b..c265e6625ae2 100644
--- a/ee/app/services/security/security_orchestration_policies/operational_vulnerabilities_configuration_service.rb
+++ b/ee/app/services/security/security_orchestration_policies/operational_vulnerabilities_configuration_service.rb
@@ -42,9 +42,10 @@ def rule_applicable_for_agent?(rule)
 
       def policies
         strong_memoize(:policies) do
-          ::Security::ScanExecutionPoliciesFinder
-            .new(agent, project, action_scan_types: %i[container_scanning cluster_image_scanning])
-            .execute
+          ::Security::ScanExecutionPoliciesFinder.new(agent, project,
+            relationship: :inherited,
+            action_scan_types: %i[container_scanning cluster_image_scanning]
+          ).execute
         end
       end
     end

Verification Steps (Staging)

1. Create a new group with a project in it.

2. On the group page, open Security and Compliance -> Policies.

3. Select New policy.

4. Select Scan execution policy.

5. Switch to yaml. mode.

6. Paste the security policy:

   type: scan_execution_policy
   name: test
   description: ''
   enabled: true
   rules:
     - type: schedule
       agents:
         test-agent:
           namespaces:
             - test
       cadence: 0 0 * * *
   actions:
     - scan: container_scanning
       tags: []

7. Select Configure with a merge request.

8. Merge the MR.

9. Go back to the project

10. Select Infrastructure on the left sidebar

11. Select Connect a cluster (agent)

12. Type test-agent

13. Select Create agent: test-agent

14. Select Register

15. Copy the Agent access token

16. Open a rails console.

17. Create a new KAS JWT using the rails console:

    JWT.encode({ 'iss' => Gitlab::Kas::JWT_ISSUER }, Gitlab::Kas.secret, 'HS256')

18. Send the API request (replace $KAS_JWT and $AGENT_TOKEN):

curl --include \
     --header "Gitlab-Kas-Api-Request: $KAS_JWT" \
     --header "Authorization: Bearer $AGENT_TOKEN" --header "Content-Type: application/json" \
     --url "https://staging.gitlab.com/api/v4/internal/kubernetes/modules/starboard_vulnerability/policies_configuration"

1. This should now return the security policy like {"configurations":[{"cadence":"0 0 * * *","namespaces":["test"],"updated_at":"2023-05-08T09:19:52+00:00"}]}