Set SECURE_ENABLE_LOCAL_CONFIGURATION variable to false in newly created policies in SEP configured on Group-level
Why are we doing this work
In the scope of Prevent project-level SAST/SD/IaC config files ... (#414732 - closed), we have added a new variable, SECURE_ENABLE_LOCAL_CONFIGURATION, which allows users to disallow overriding project-level configuration in SAST/SD/IaC scanners.
We will begin adding this value by default when new policies are created, which will not impact existing policies. Users may update any pre-existing policies to apply the variable.
If the value is not supplied, the default value will be True.
Details from the above issue:
Name:
SECURE_ENABLE_LOCAL_CONFIGURATION
- This would have the value
trueorfalse. Use the same comparison semantics asSAST_DISABLEDand similar variables.- The default value, if the variable is not provided, is
true.- This single variable will control both SAST and Secret Detection. (IaC Scanning is implemented as part of SAST.)
- This variable only needs to control whether the local file is used or not.
Relevant links
Non-functional requirements
-
Documentation: we should document that this variable is automatically added for group-level policy -
Feature flag: -
Performance: -
Testing: -
Ensure that variable is set for SAST/SD/IaC when it is configured on group-level policy -
Ensure that variable is not set for SAST/SD/IaC when it is configured on project-level policy -
Ensure that variable is not set for scans different than SAST/SD/IaC when it is configured on group-level policy -
Ensure that variable is not set for scans different than SAST/SD/IaC when it is configured on project-level policy
-
Implementation plan
Verification steps
Edited by Grant Hickman