Skip to content

BE: Add GraphQL API to list policies for selected Compliance Framework

Why are we doing this work

In the scope of Security Policy Scopes (&5510 - closed), we would like to allow users to save Policy YAML with policy scope in it. Based on designs and descriptions from the Epic, we would like to be able to specify policy scope based on:

  • assigned compliance frameworks,
  • list with included projects,
  • list with excluded projects.
policy_scope:
  compliance_frameworks:
  - id: 12345
  - id: 23456
  projects:
    including:
    - id: 12345
    - id: 23456
    excluding:
    - id: 34567
    - id: 45678

In the scope of this issue, we want to add the logic needed to display the list of policies in GraphQL API when a given policy is configured with policy_scope with the selected Compliance Framework. We need to ensure that these policies are only listed in GraphQL when the given API user has permission to see these policies.

In scope of this issue we want to add new fields to ComplianceManagement::ComplianceFrameworkType:

        field :scan_execution_policies,
              ::Types::SecurityOrchestration::ScanExecutionPolicyType.connection_type,
              calls_gitaly: true,
              null: true,
              description: 'Scan Execution Policies of the compliance framework.',
              resolver: ::Resolvers::SecurityOrchestration::ScanExecutionPolicyResolver

        field :scan_result_policies,
              ::Types::SecurityOrchestration::ScanResultPolicyType.connection_type,
              calls_gitaly: true,
              null: true,
              description: 'Scan Result Policies of the compliance framework',
              resolver: ::Resolvers::SecurityOrchestration::ScanResultPolicyResolver

Relevant links

Non-functional requirements

  • Documentation: updated
  • Feature flag: we should only do list policies when we have security_policies_policy_scope feature flag enabled,
  • Performance: Verify performance impact with policies configured across many projects/subgroups within the group,
  • Testing:

Implementation plan

  • backend Create a new finder that queries compliance_framework_security_policies by framework_id and get all policies by policy_id and security_orchestration_policy_configuration_id
  • backend Use the finder in ComplianceManagement::ComplianceFrameworkType for scan_result_policies and scan_execution_policies

Verification steps

TBD

Edited by Sashi Kumar Kumaresan