Implement Audit events for policy management operations

Why are we doing this work

This task involves implementing audit events for security policy creation, modification, and deletion operations to provide better visibility and traceability for security and compliance teams.

Links / references

Related to Epic: Security Policy Audit Events
Spike issue: #528565 (closed)
POC MR: !188432 (closed)

Use Cases

Generate consolidated audit events for policies created/managed at the group or subgroup level
Generate specific audit events when policies are changed, with clear identification of the modified policy
Consolidate and streamline audit events generated by Security Policy Projects (SPPs) to avoid duplication across projects

Implementation Details

POC: !188432 (closed)

Integrate with SyncPolicyWorker which is triggered based on policy events
Implement feature flag for controlled rollout and performance monitoring according to the [Feature Flag] Rollout of security_policy_audit_events
Document the behavior where renaming a policy results in a delete + create action rather than a single update for audit events
Ensure audit events are both streamed and saved to the database
Audit events will be scoped to the Security Policy Project

Technical Considerations:

Ensure proper attribution of user actions in the audit events
Include relevant contextual metadata in the events (policy type, affected resources, etc.)

Success Criteria

Audit events are generated for policy creation, modification, and deletion
Events provide sufficient context for security/compliance professionals
Implementation is covered by tests
Feature is behind a feature flag

Verification Steps

Create a project
Navigate to "Secure => Policies => New policy"
Create a security policy with a merge request
Go to the Security Policy Project
Navigate to Secure => Audit events
Audit events is recorded for security policy creation
Verify modifying/deleting the policy also generates audit events

Edited Jun 06, 2025 by 🤖 GitLab Bot 🤖