Add `branch_type` support to scan result policies
What does this MR do and why?
We are adding branch_type support to security policies (&9468 (closed)).
This MR adds branch_type support to Scan result policies.
How to set up and validate locally
-
Create a new group
-
Create a new contained project
-
Enable the feature flag for the project:
Feature.enable(:security_policies_branch_type, Project.last) -
Navigate to
Repository > Branchesand create the following branches:developfeature-1
-
Navigate to
Settings > Repositoryand protect thedevelopbranch -
Navigate to
Settings > Repositoryand within theBranch defaultssection, setdevelopas default branch -
On the group level, navigate to
Security and Compliance > Policiesand create the following scan result policy:type: scan_result_policy name: Container Scanning Default Branch description: '' enabled: true rules: - type: scan_finding branch_type: default scanners: - container_scanning vulnerabilities_allowed: 0 severity_levels: [] vulnerability_states: [] actions: - type: require_approval approvals_required: 1 user_approvers_ids: - 1 -
On the project level, navigate to
Security and Compliance > Policiesand create the following scan result policy:type: scan_result_policy name: Secret Detection Protected Branches description: '' enabled: true rules: - type: scan_finding branch_type: protected scanners: - secret_detection vulnerabilities_allowed: 0 severity_levels: [] vulnerability_states: [] actions: - type: require_approval approvals_required: 1 user_approvers_ids: - 1 -
Open MRs targeting the following branches and verify the expected approval rules:
Target branch Approval rules mainSecret Detection Protected BranchesdevelopSecret Detection Protected Branches,Container Scanning Default Branchfeature-1none
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #404785 (closed)