BE: Implement Backend Support for Basic Warn Mode in MR Approval Policies

Background

We are introducing a new "Warn" mode for MR approval policies to allow customers to observe and understand the impact of security policies before enforcing them. This feature will help security teams gradually roll out policies without immediately blocking developers.

Objectives

1. Implement backend support for the new "Warn" mode in MR approval policies
2. Ensure proper handling of the Warn mode in the policy evaluation process
3. Update the API to support the new Warn mode configuration

Tasks

1. Policy Schema and Model Updates

• Update the JSON schema for security orchestration policies to include the new "Warn" mode
• Modify the policy model to handle the new Warn mode configuration
• Ensure backward compatibility with existing policy configurations

2. Policy Evaluation Logic

• Implement logic to handle Warn mode during policy evaluation
• Ensure that Warn mode policies generate bot comments but do not require approvals
• Update the policy evaluation process to distinguish between Warn mode and regular policies

3. API Updates

• Extend the API to support creating and updating policies with Warn mode
• Update API responses to include Warn mode information in policy details
• Ensure API documentation is updated to reflect the new Warn mode option

4. Bot Comment Generation

• Modify the bot comment generation logic to work with Warn mode policies
• Ensure that bot comments for Warn mode policies are clearly distinguishable from regular policy violations

5. MR Approval Rule Handling

• Update the MR approval rule generation to handle Warn mode policies
• Ensure that Warn mode policies create optional approval rules (0 approvals required)

6. Testing

• Add unit tests for new Warn mode functionality
• Update existing integration tests to cover Warn mode scenarios
• Create new integration tests specifically for Warn mode behavior

7. Performance Considerations

• Analyze and optimize the performance impact of adding Warn mode to policy evaluation
• Ensure that Warn mode does not significantly increase policy evaluation time

8. Database Updates (if necessary)

• Determine if any database schema changes are required to support Warn mode
• If needed, create and test database migrations

Acceptance Criteria

• Warn mode policies can be created, updated, and deleted through the API
• Policy evaluation correctly handles Warn mode, generating bot comments without requiring approvals
• MR approval rules for Warn mode policies are created as optional (0 approvals required)
• Bot comments for Warn mode policy violations are clearly distinguishable
• Existing policies and functionality are not negatively impacted by the introduction of Warn mode
• Performance impact of Warn mode is minimal and within acceptable limits

Notes

• Coordinate with the frontend team to ensure alignment on the Warn mode implementation
• Consider potential edge cases, such as mixing Warn mode with other policy actions
• Keep in mind the future possibility of making MRs with policy violations searchable/queryable, even though it's out of scope for this MVC