Wrong linked security policies for compliance framework
Summary
When linking security policies to compliance framework the list of linked policies is wrong and includes all items
Steps to reproduce
- Create new group, enable
Security policy scope (Experiment)
inSettings
underPermissions and group features
- Create two compliance frameworks using
Security
▶ Compliance center
▶ Frameworks
cf-1
cf-2
- Create three scan execution policies in group, with following config:
---
scan_execution_policy:
- name: demo-scan-1
description: ''
enabled: true
policy_scope:
compliance_frameworks:
- id: 375
rules:
- type: pipeline
branches:
- "*"
actions:
- scan: secret_detection
- name: demo-scan-2
description: ''
enabled: true
policy_scope:
compliance_frameworks:
- id: 376
rules:
- type: pipeline
branches:
- "*"
actions:
- scan: secret_detection
- name: demo-scan-3
description: ''
enabled: true
policy_scope:
compliance_frameworks: []
rules:
- type: pipeline
branches:
- "*"
actions:
- scan: secret_detection
(replace 375 and 376 with relevant compliance frameworks ids)
Basically it configures following:
-
demo-scan-1
is linked to compliance frameworkcf-1
-
demo-scan-2
is linked to compliance frameworkcf-2
-
demo-scan-3
is not linked anywhere
Run following graphql query, using graphql-explorer:
{
namespace(fullPath: "demo-compliance-security-policies") {
complianceFrameworks {
nodes {
id
scanExecutionPolicies {
nodes {
name
enabled
}
}
}
}
}
}
What is the current bug behavior?
All policies are reported as linked to all frameworks
{
"data": {
"namespace": {
"complianceFrameworks": {
"nodes": [
{
"id": "gid://gitlab/ComplianceManagement::Framework/375",
"scanExecutionPolicies": {
"nodes": [
{
"name": "demo-scan-1",
"enabled": true
},
{
"name": "demo-scan-2",
"enabled": true
},
{
"name": "demo-scan-3",
"enabled": true
}
]
}
},
{
"id": "gid://gitlab/ComplianceManagement::Framework/376",
"scanExecutionPolicies": {
"nodes": [
{
"name": "demo-scan-1",
"enabled": true
},
{
"name": "demo-scan-2",
"enabled": true
},
{
"name": "demo-scan-3",
"enabled": true
}
]
}
}
]
}
}
}
}
What is the expected correct behavior?
-
cf-1
framework includes onlydemo-scan-1
security policy -
cf-2
framework includes onlydemo-scan-2
security policy
Relevant logs and/or screenshots
Edited by Illya Klymov