Skip to content

Update security policies when project's compliance framework is updated

Sashi Kumar Kumaresan requested to merge sk/428491-sync-update into master

What does this MR do and why?

This MR refreshes the security policies for a project when a compliance framework is assigned/unassigned to a project. This functionality is achieved by publishing a new event (Projects::ComplianceFrameworkChangedEvent).

Addresses #428491 (closed)

Screenshot

Group with projects

Screenshot_2023-11-20_at_7.44.25_PM

Policy

Screenshot_2023-11-20_at_7.45.29_PM

Project with Framework

Screenshot_2023-11-20_at_8.02.08_PM

Project without Framework

Screenshot_2023-11-20_at_8.02.31_PM

How to set up and validate locally

  • Create a top level group and create a compliance framework
  • Create 2 projects within the group
  • Create a scan result policy with policy_scope and add the ID of the compliance framework:
type: scan_result_policy
name: SRP
description: ''
enabled: true
policy_scope:
  compliance_frameworks:
    - id: 5
rules:
  - type: scan_finding
    scanners: []
    vulnerabilities_allowed: 0
    severity_levels: []
    vulnerability_states: []
    branch_type: protected
actions:
  - type: require_approval
    approvals_required: 1
    group_approvers_ids:
      - 22
  • Assign the compliance framework to one of the projects in the group (Settings -> General -> Compliance Frameworks)
  • Create an MR that updates the README in both the projects and verify that the project with compliance framework assigned requires an approval and the project without compliance framework does not require approval

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Sashi Kumar Kumaresan

Merge request reports