[backend] Add new pipeline execution policy schema and graphQL mutation
Add the a new policy type Pipeline execution policy to enforce custom CI jobs on projects. More details in &13266
For the first iteration, we can add the schema and a graphQL mutation to modify the security policy YML file.
Schema examples:
Secret detection:
name: "Secret detection"
description: "triggers all protected branches except main"
enabled: true
override_project_ci: true
content:
workflow:
rules:
- if: $CI_COMMIT_REF_PROTECTED == false || $CI_COMMIT_REF_NAME == 'main'
when: never
include:
- template: Jobs/Secret-Detection.gitlab-ci.yml
Using a config file:
name: "Ci config file"
description: "triggers all protected branches except main"
enabled: true
override_project_ci: true
content:
include:
project: pipeline-execution-policy/security-policy-project
file: ci.yml
Implementation plan
- Update the security policy schema:
diff --git a/ee/app/validators/json_schemas/security_orchestration_policy.json b/ee/app/validators/json_schemas/security_orchestration_policy.json
index 2c20ce3d32fa..9bccae03f15d 100644
--- a/ee/app/validators/json_schemas/security_orchestration_policy.json
+++ b/ee/app/validators/json_schemas/security_orchestration_policy.json
@@ -18,9 +18,38 @@
"required": [
"approval_policy"
]
+ },
+ {
+ "required": [
+ "pipeline_execution_policy"
+ ]
}
],
"properties": {
+ "pipeline_execution_policy": {
+ "type": "object",
+ "description": "Declares required security scans to be run on a specified schedule or with the project pipeline.",
+ "additionalItems": false,
+ "properties": {
+ "name": {
+ "description": "Name for the policy.",
+ "minLength": 1,
+ "maxLength": 255,
+ "type": "string"
+ },
+ "description": {
+ "description": "Specifies the longer description of the policy.",
+ "type": "string"
+ },
+ "enabled": {
+ "description": "Whether to enforce this policy or not.",
+ "type": "boolean"
+ },
+ "content": {
+ "type": "object"
+ }
+ }
+ },
"scan_execution_policy": {
"type": "array",
"description": "Declares required security scans to be run on a specified schedule or with the project pipeline.",
- Add a new graphQL mutation and resolver for the new policy type. We can look into existing policy mutations for reference.
Edited by Andy Schoenen