[BE] Extend GraphQL for frontend for CSP

Why are we doing this work

In order for frontend to annotate the group as CSP and the policies as "instance-level policies", we should surface this information from the backend.

We should also ensure that policy scope can be configured for all instance projects and groups.

Relevant links

FE issue
PoC

Non-functional requirements

Documentation:
Feature flag:
Performance:
Testing:

Implementation plan

Extend ee/app/graphql/ee/types/namespace_type.rb to indicate if a group is a CSP
Extend merge_project_relationship in ee/app/finders/security/security_policy_base_finder.rb and expose config.source.csp
Test and update the code paths to allow proper policy scope configuration by considering all projects / groups in the instance

Verification steps

Query csp attribute for a namespace and verify that it returns true for a CSP group and false for other groups

 {
  namespace(fullPath: "<group-path>") {
    id
    approvalPolicies(relationship: INHERITED) {
      nodes {
        name
        enabled
        csp
      }
    }
    scanExecutionPolicies(relationship: INHERITED) {
      nodes {
        name
        enabled
        csp
      }
    }
    vulnerabilityManagementPolicies(relationship: INHERITED) {
      nodes { 
        name
        enabled
        csp
      }
    }
    pipelineExecutionPolicies(relationship: INHERITED) {
      nodes { 
        name
        enabled
        csp
      }
    }
    pipelineExecutionSchedulePolicies(relationship: INHERITED) {
      nodes { 
        name
        enabled
        csp
      }
    }
  }
}

Try to assign various groups and projects in the policy scope of the CSP configuration and verify that they are returned in the dropdown results

Edited May 15, 2025 by Martin Cavoj