Check project policy_configuration ids on syncing compliance framework (!143590) · Merge requests · GitLab.org / GitLab

Sashi Kumar Kumaresan requested to merge sk/439911-fix-comp-framework into master Feb 01, 2024

What does this MR do and why?

This MR fixes a bug with the policy scope experimental feature where if a compliance framework is linked to multiple policies of different groups, the policies are enforced on MRs of projects that do not inherit the corresponding policy.

flowchart TD
    A[Framework A] --> B(Policy A)
    A --> C(Policy B)
    C --> D(Project A)
    B --> E(Project B)

In this case the bug is: MRs in project B have approvals from policy A enforced.

The fix is to check if the security_orchestration_policy_configuration ID is applicable for the project before syncing the approval rules.

Steps to reproduce

Create two subgroups
Create policies within the two subgroups that enforce against the same compliance framework label
Observe that any projects in the group with the label are enforced (when instead the enforcement should filter to only projects within the same subgroup)

Addresses #439911 (closed)

Edited Feb 01, 2024 by Sashi Kumar Kumaresan

Check project policy_configuration ids on syncing compliance framework

What does this MR do and why?

Steps to reproduce

Merge request reports