Introduce additional granular controls to toggle the feature
Overview
In order to make adoption of this feature easier, we should introduce more granular controls to enable/disable the feature. At the moment, only instance-level configuration is available, and we would like to expand to other options (e.g. organization, group, and project).
This would also support the integration (internal only) with Security Policies. Having granular settings is a prerequisite for us to be able to add an additional option in the Scan Execution Policy to enforce pre-receive secret detection for a group or project where the policy is applied.
Also, as part of this effort, we should probably remove the existing per-project feature flag as such controls will likely replace it.
Permissions
We need to limit this to Owners or Maintainers.
Proposal
Adding a new setting on the group or project-level would likely require creating a new database column, and each setting has to be available to set or update using either the API or the UI. We propose the following list of tasks to implement this change:
-
Add new group-level setting in database to toggle feature on/off. -
Add new project-level setting in database to toggle feature on/off. -
Add the new setting to API and UI to allow toggling the feature for a group. -
Add the new setting to API and UI to allow toggling the feature for a project. -
Update secrets push check to honour the new settings and remove the aforementioned feature flag. -
Update documentation with a matrix of those controls and their precedence. -
Define and document the permission required to change the setting.