BE: Synchronize Scan Result Policies after Compliance Framework changes
Why are we doing this work
In the scope of Security Policy Scopes (&5510 - closed), we would like to allow users to save Policy YAML with policy scope in it. Based on designs and descriptions from the Epic, we would like to be able to specify policy scope based on:
- assigned compliance frameworks,
- list with included projects,
- list with excluded projects.
policy_scope:
compliance_frameworks:
- id: 12345
- id: 23456
projects:
including:
- id: 12345
- id: 23456
excluding:
- id: 34567
- id: 45678
In the scope of this issue, we want to add the logic needed to synchronize Scan Result Policies for given project whenever Compliance Framework setting is changed for that project.
Relevant links
Non-functional requirements
-
Documentation: add information to documentation about automatic updates that are happening with applied policies whenever we update Compliance Framework for the project, -
Feature flag: we should only do sync when we have security_policies_policy_scope
feature flag enabled, -
Performance: Verify performance impact when many changes are happening to compliance framework setting, -
Testing: - verify that sync is happening whenever we delete the compliance framework,
- verify that sync is happening whenever we update the setting in project related to compliance framework,
Implementation plan
-
backend Create a new table compliance_framework_security_policies
withframework_id
,security_orchestration_policy_configuration_id
andpolicy_index
. -
backend Create a new service that creates rows in compliance_framework_security_policies
whenever the policy.yml is updated/created. Call this service fromUpdateOrchestrationPolicyConfiguration#update_policy_configuration
-
backend Call the service when these events happen: -
ComplianceManagement::Framework
is deleted -
ComplianceManagement::ComplianceFramework::ProjectSettings
is updated/deleted/created
-
Verification steps
-
Create a top level group and create a compliance framework -
Create 2 projects within the group -
Create a scan result policy with policy_scope and add the ID of the compliance framework:
type: scan_result_policy
name: SRP
description: ''
enabled: true
policy_scope:
compliance_frameworks:
- id: 5
rules:
- type: scan_finding
scanners: []
vulnerabilities_allowed: 0
severity_levels: []
vulnerability_states: []
branch_type: protected
actions:
- type: require_approval
approvals_required: 1
group_approvers_ids:
- 22
-
Assign the compliance framework to one of the projects in the group ( Settings
->General
->Compliance Frameworks
) -
Create an MR that updates the README in both the projects and verify that the project with compliance framework assigned requires an approval and the project without compliance framework does not require approval -
Unassign the compliance framework from the project and verify that the approval is removed from MR -
Unassign the security policy project and verify that the approval is removed and assign the security policy project again and verity that the approval is enforced again
Edited by Sashi Kumar Kumaresan