Fix compliance framework graphql query to return correct policies
What does this MR do and why?
This MR fixes a bug with ComplianceFramework graphql query where it returns all the policies associated with Security::OrchestrationPolicyConfiguration. The fix is to filter the policies by checking if the framework is present in the policy_scope section of the YAML.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
| Before | After |
|---|---|
 |
 |
How to set up and validate locally
- Create new group, enable
Security policy scope (Experiment)inSettingsunderPermissions and group features - Create two compliance frameworks using
Security->Compliance center->Frameworks
First FrameworkSecond Framework
- Create three scan execution policies in group, with following config:
---
scan_execution_policy:
- name: demo-scan-1
description: ''
enabled: true
policy_scope:
compliance_frameworks:
- id: 375
rules:
- type: pipeline
branches:
- "*"
actions:
- scan: secret_detection
- name: demo-scan-2
description: ''
enabled: true
policy_scope:
compliance_frameworks:
- id: 376
rules:
- type: pipeline
branches:
- "*"
actions:
- scan: secret_detection
- name: demo-scan-3
description: ''
enabled: true
policy_scope:
compliance_frameworks: []
rules:
- type: pipeline
branches:
- "*"
actions:
- scan: secret_detection(replace 375 and 376 with relevant compliance frameworks ids)
Basically it configures following:
-
demo-scan-1is linked to compliance frameworkFirst Framework -
demo-scan-2is linked to compliance frameworkSecond Framework -
demo-scan-3is not linked anywhere
Run following graphql query, using graphql-explorer:
{
namespace(fullPath: "compliance-pipelines") {
complianceFrameworks {
nodes {
id
scanExecutionPolicies {
nodes {
name
enabled
}
}
}
}
}
}
Addresses #443816 (closed)
Edited by Sashi Kumar Kumaresan