Skip to content

BE: Add support for branch exceptions for Scan Execution Policies and Scan Result Policies

Why are we doing this work

In the scope of this issue, we would like to extend the current functionality to support branch_exceptions.

Relevant links

Non-functional requirements

  • Documentation: no documentation changes are needed until feature flag is enabled by default
  • Feature flag: overall feature should be released behind feature flag security_policies_branch_exceptions, if FF is disabled we should not consider branch_exceptions when evaluating if policy is applicable,
  • Performance:
  • Testing:
    • Test if current functionality is working with branch_exceptions provided - if you can use UI, it should have no impact on current functionality,
    • Test if policy is not enforced when policy is applied on group level and branch name and full path is matching project's full path and branch name,
    • Test if policy is not enforced when policy is applied on group level and branch name and full path is matching project's group full path and branch name,
    • Test if policy is enforced when policy is applied on group level and branch name and full path is matching only project's group full path, but not branch name,
    • Test if policy is enforced when policy is applied on group level and branch name and full path is matching only project's full path, but not branch name,
    • Test if policy is enforced when policy is applied on group level and branch name and full path is matching only project's branch name, but not full path,
    • Test if policy is not enforced when policy is applied on group level and branch name is matching project's branch name,
    • Test if policy is not enforced when policy is applied on project level and branch name is matching project's branch name,

Implementation plan

  • MR1:
    • backend modify ee/app/services/security/security_orchestration_policies/policy_branches_service.rb to support branch exceptions defined for both Scan Execution Policies and Scan Result Policies
    • See: !126963 (diffs)

Verification steps

  1. Create a new Project
  2. Create a new Scan Result Policy in YAML mode and add branch_exceptions: ["dev", { full_path: "path/to/project", "name": "main" }]
  3. Create a new Scan Execution Policy in YAML mode and add branch_exceptions: ["dev", { full_path: "path/to/project", "name": "main" }]
  4. Try to create invalid policy with invalid branch_exceptions
Edited by Dominic Bauer