[Backend] Include policy information in the logs of SEP jobs and include policy identifier

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Why are we doing this work

In #541922 (closed), we're extending logs of the policy jobs to include the information about variable precedence. This is important for debugging and observability of the enforced policies.

We should do the same for SEP jobs. SEP options for controlling the variable precedence are simpler than the ones in PEP, but it would help to include the following in the logs:

Job triggered by scan execution policy "{policy_name}".
Variables defined in the policy take precedence over matching user-defined CI/CD variables for this job.

We should also update the wording for the pipeline execution policy so that we can differentiate between the two. For pipeline execution policy jobs, the logs should read:

Job triggered by pipeline execution policy "{policy_name}".

Relevant links

• Issue for PEP
• Designs for PEP the job page
• MR that extends runner logs
• MR that extends runner API

Non-functional requirements

• Documentation:
• Feature flag:
• Performance:
• Testing:

Implementation plan

• For PEP, change Job triggered by policy "{policy_name} to Job triggered by pipeline execution policy "{policy_name}"
• Add logs for SEP
  • Add an identifier in the build options to distinguish a SEP job. It should also differentiate a SEP job from a PEP job.
  • Extend the runner to show the message for a SEP job
• Include policy identifiers so that even if there are two policies with the same name, we can pinpoint the policy that triggered the job. We can use the same identifier pattern as we use for the suffix of pipeline execution policy: policy-{security-policy-project-id}-{policy-index}

Verification steps