Jobs from scan execution policies are still running after downgrading to Premium

Summary

During an Ultimate trial a Gitlab.com customer implemented scan execution policies. The trial is now over and they reverted to Premium. The security policy project has been deleted. However, the jobs defined via policies are still being executed.

Steps to reproduce

I do not have more information other than this is happening in some projects, not all. In the shared example, the customer implemented secret detection via a scan execution policy. This job is still included by default in some projects.

I can share the link to the customer project privately.

What is the expected correct behavior?

After downgrading to Premium from an Ultimate trial, jobs defined via security policies should no longer be running in the project´s pipelines.

Implementation Plan

diff --git a/ee/app/workers/security/orchestration_policy_rule_schedule_worker.rb b/ee/app/workers/security/orchestration_policy_rule_schedule_worker.rb
index f723b4e0826c..a5929024fcab 100644
--- a/ee/app/workers/security/orchestration_policy_rule_schedule_worker.rb
+++ b/ee/app/workers/security/orchestration_policy_rule_schedule_worker.rb
@@ -17,7 +17,11 @@ def perform
       Security::OrchestrationPolicyRuleSchedule.with_configuration_and_project_or_namespace.with_owner.with_security_policy_bots.runnable_schedules.find_in_batches do |schedules|
         schedules.each do |schedule|
           with_context(project: schedule.security_orchestration_policy_configuration.project, user: schedule.owner) do
-            if schedule.security_orchestration_policy_configuration.project?
+            config = schedule.security_orchestration_policy_configuration
+
+            next unless security_policy_feature_available?(config)
+
+            if config.project?
               schedule_rules(schedule)
             else
               Security::OrchestrationPolicyRuleScheduleNamespaceWorker.perform_async(schedule.id)
@@ -29,6 +33,16 @@ def perform
 
     private
 
+    def security_policy_feature_available?(config)
+      actor = if config.project?
+                config.project
+              else
+                config.namespace
+              end
+
+      actor.licensed_feature_available?(:security_orchestration_policies)
+    end
+
     def schedule_rules(schedule)
       project = schedule.security_orchestration_policy_configuration.project
       return if project.marked_for_deletion?

Edited Jun 11, 2024 by Dominic Bauer