Implement policy limit and validation related audit events
Why are we doing this work
This task involves implementing audit events related to policy limits being exceeded and policy validation failures, providing visibility into configuration issues that affect security policy enforcement.
Links / references
- Related to Epic: Security Policy Audit Events
- Spike issue: #528565 (closed)
- POC MR: !188432 (closed)
Use Cases
- Generate an audit event if limits are exceeded and a pipeline execution policy is not applied
- Generate an audit event if limits are exceeded and a scan execution policy is not applied
- Generate an audit event if limits are exceeded and an MR approval policy is not applied
- Generate an audit event if policy.yml becomes invalidated
Implementation Details
- Integrate with
Security::SecurityOrchestrationPolicies::PersistPolicyServiceto check if policy limits are exceeded - Integrate with
Security::SecurityOrchestrationPolicies::ValidatePolicyServicefor policy.yml validation - Integrate with
UpdateOrchestrationPolicyConfigurationto handle direct commits to SPP repo - Account for different limit calculations for different policy types
Technical Considerations:
- Handle different limit calculations for different policy types (Approval policies, SEP, PEP)
- Generate audit events when persisting security policies, not when they are applied
- Ensure clear messaging about which limits were exceeded and why
Success Criteria
- Audit events are generated when policy limits are exceeded
- Audit events are generated when policy.yml becomes invalidated
- Events include detailed information about the validation failure or limit exceeded
- Implementation is covered by tests
- Feature is behind a feature flag
Verification Steps
- Create a project with a security policy project
- Create policies up to the limit for each policy type
- Attempt to create additional policies beyond the limit
- Verify audit events are generated when limits are exceeded
- Introduce invalid syntax in policy.yml
- Verify audit event is generated for invalid policy.yml
- Check that audit events contain sufficient details about the validation failure
Edited by 🤖 GitLab Bot 🤖