BE: Synchronize Scan Result Policies after Compliance Framework changes

Why are we doing this work

In the scope of Security Policy Scopes (&5510 - closed), we would like to allow users to save Policy YAML with policy scope in it. Based on designs and descriptions from the Epic, we would like to be able to specify policy scope based on:

  • assigned compliance frameworks,
  • list with included projects,
  • list with excluded projects.
policy_scope:
  compliance_frameworks:
  - id: 12345
  - id: 23456
  projects:
    including:
    - id: 12345
    - id: 23456
    excluding:
    - id: 34567
    - id: 45678

In the scope of this issue, we want to add the logic needed to synchronize Scan Result Policies for given project whenever Compliance Framework setting is changed for that project.

Relevant links

Non-functional requirements

  • Documentation: add information to documentation about automatic updates that are happening with applied policies whenever we update Compliance Framework for the project,
  • Feature flag: we should only do sync when we have security_policies_policy_scope feature flag enabled,
  • Performance: Verify performance impact when many changes are happening to compliance framework setting,
  • Testing:
    • verify that sync is happening whenever we delete the compliance framework,
    • verify that sync is happening whenever we update the setting in project related to compliance framework,

Implementation plan

  • backend Create a new table compliance_framework_security_policies with framework_id, security_orchestration_policy_configuration_id and policy_index.
  • backend Create a new service that creates rows in compliance_framework_security_policies whenever the policy.yml is updated/created. Call this service from UpdateOrchestrationPolicyConfiguration#update_policy_configuration
  • backend Call the service when these events happen:
    • ComplianceManagement::Framework is deleted
    • ComplianceManagement::ComplianceFramework::ProjectSettings is updated/deleted/created

Verification steps

  • Create a top level group and create a compliance framework
  • Create 2 projects within the group
  • Create a scan result policy with policy_scope and add the ID of the compliance framework:
type: scan_result_policy
name: SRP
description: ''
enabled: true
policy_scope:
  compliance_frameworks:
    - id: 5
rules:
  - type: scan_finding
    scanners: []
    vulnerabilities_allowed: 0
    severity_levels: []
    vulnerability_states: []
    branch_type: protected
actions:
  - type: require_approval
    approvals_required: 1
    group_approvers_ids:
      - 22
  • Assign the compliance framework to one of the projects in the group (Settings -> General -> Compliance Frameworks)
  • Create an MR that updates the README in both the projects and verify that the project with compliance framework assigned requires an approval and the project without compliance framework does not require approval
  • Unassign the compliance framework from the project and verify that the approval is removed from MR
  • Unassign the security policy project and verify that the approval is removed and assign the security policy project again and verity that the approval is enforced again
Edited by Sashi Kumar Kumaresan