Skip to content

Validate maximum SEP action count

What does this MR do and why?

This MR introduces:

  • an application setting that controls the maximum number of actions per scan execution policy.
  • a policy validation that uses the setting
  • a feature flag that controls whether the validation takes effect.

We will not enable the feature flags until %18.0 since this new limit is a breaking change (see the rollout Issue for projects and namespaces).

Related to #472213 (closed), #436545 (closed)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Enable the feature flag: echo "Feature.enable(:scan_execution_policies_action_limit)" | rails c

  2. Create a project

  3. On the level left sidebar, select Security & Compliance and Policies

  4. Select New Policy

  5. Select Scan execution policy

  6. Switch to .yaml mode.

  7. Paste the following policy

    type: scan_execution_policy
    name: test
    description: ''
    enabled: true
    rules:
      - type: pipeline
        branches:
          - '*'
    actions:
      - scan: secret_detection
      - scan: secret_detection
      - scan: secret_detection
      - scan: secret_detection
      - scan: secret_detection
      - scan: secret_detection
      - scan: secret_detection
      - scan: secret_detection
      - scan: secret_detection
      - scan: secret_detection
      - scan: secret_detection
  8. Select Configure with a merge request

  9. This should fail with "Policy exceeds the number of 10 allowed actions"

Related to #472213 (closed)

Edited by Artur Fedorov

Merge request reports

Loading