[backend] Add new pipeline execution policy schema and graphQL mutation

Add the a new policy type Pipeline execution policy to enforce custom CI jobs on projects. More details in &13266 (closed)

For the first iteration, we can add the schema and a graphQL mutation to modify the security policy YML file.

Schema examples:

Secret detection:

name: "Secret detection"
description: "triggers all protected branches except main"
enabled: true
override_project_ci: true
content:
  workflow:
    rules:
      - if: $CI_COMMIT_REF_PROTECTED == false || $CI_COMMIT_REF_NAME == 'main'
        when: never
  include:
    - template: Jobs/Secret-Detection.gitlab-ci.yml

Using a config file:

name: "Ci config file"
description: "triggers all protected branches except main"
enabled: true
override_project_ci: true
content:
  include:
    project: pipeline-execution-policy/security-policy-project
    file: ci.yml

Implementation plan

Update the security policy schema:

diff --git a/ee/app/validators/json_schemas/security_orchestration_policy.json b/ee/app/validators/json_schemas/security_orchestration_policy.json
index 2c20ce3d32fa..9bccae03f15d 100644
--- a/ee/app/validators/json_schemas/security_orchestration_policy.json
+++ b/ee/app/validators/json_schemas/security_orchestration_policy.json
@@ -18,9 +18,38 @@
       "required": [
       "approval_policy"
       ]
+    },
+    {
+      "required": [
+        "pipeline_execution_policy"
+      ]
}
],
"properties": {
+    "pipeline_execution_policy": {
+      "type": "object",
+      "description": "Declares required security scans to be run on a specified schedule or with the project pipeline.",
+      "additionalItems": false,
+      "properties": {
+        "name": {
+          "description": "Name for the policy.",
+          "minLength": 1,
+          "maxLength": 255,
+          "type": "string"
+        },
+        "description": {
+          "description": "Specifies the longer description of the policy.",
+          "type": "string"
+        },
+        "enabled": {
+          "description": "Whether to enforce this policy or not.",
+          "type": "boolean"
+        },
+        "content": {
+          "type": "object"
+        }
+      }
+    },
"scan_execution_policy": {
       "type": "array",
       "description": "Declares required security scans to be run on a specified schedule or with the project pipeline.",

Add a new graphQL mutation and resolver for the new policy type. We can look into existing policy mutations for reference.

Edited Apr 10, 2024 by Andy Schoenen