Add configurable logical operator (AND/OR) to security policy scope

Summary

Add support for configurable logical operators (AND/OR) in the policy_scope keyword to provide flexibility in how multiple scope conditions (projects, groups, compliance frameworks) are combined when determining policy applicability.

Problem Statement

Currently, when a security policy specifies both projects and groups in the policy_scope, all conditions are combined using implicit AND logic. This means a project must satisfy all specified conditions for the policy to apply.

While this behavior is valid for certain use cases, it limits flexibility for users who want to apply policies when any condition matches. For example, users cannot easily create a policy that applies to:

  • A specific set of explicitly listed projects, OR
  • All projects within certain groups

Proposed Solution

Introduce an optional operator field in the policy_scope configuration that allows users to specify how scope conditions should be combined:

  • AND (default): All specified conditions must be met (maintains backward compatibility)
  • OR: At least one condition must be met

Example Usage 

policy_scope:
  operator: "OR"  # Apply policy if ANY condition matches
  projects:
    including:
      - id: 1507906  # gitlab-org/ruby/gems/gitlab-exporter
  groups:
    including:
      - id: 9970     # gitlab-org

With the OR operator, the policy would apply to:

  • Any project explicitly listed in projects.including, OR
  • Any project belonging to groups listed in groups.including

Use Case

A user wants to enforce a security policy on:

  1. Specific high-priority projects regardless of their group membership
  2. All projects within certain organizational groups

Without the OR operator, users must either duplicate policies or restructure their group hierarchy to achieve this.

Acceptance Criteria

  • Add operator field to the security orchestration policy schema with values AND and OR
  • Default to AND behavior when operator is not specified (backward compatibility)
  • Update PolicyScopeChecker to respect the operator when evaluating scope conditions
  • Add documentation for the new operator field
Edited by 🤖 GitLab Bot 🤖