Validate maximum SEP action count
What does this MR do and why?
This MR introduces:
- an application setting that controls the maximum number of actions per scan execution policy.
- a policy validation that uses the setting
- a feature flag that controls whether the validation takes effect.
We will not enable the feature flags until %18.0 since this new limit is a breaking change (see the rollout Issue for projects and namespaces).
Related to #472213 (closed), #436545 (closed)
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
-
Enable the feature flag:
echo "Feature.enable(:scan_execution_policies_action_limit)" | rails c
-
Create a project
-
On the level left sidebar, select Security & Compliance and Policies
-
Select New Policy
-
Select Scan execution policy
-
Switch to .yaml mode.
-
Paste the following policy
type: scan_execution_policy name: test description: '' enabled: true rules: - type: pipeline branches: - '*' actions: - scan: secret_detection - scan: secret_detection - scan: secret_detection - scan: secret_detection - scan: secret_detection - scan: secret_detection - scan: secret_detection - scan: secret_detection - scan: secret_detection - scan: secret_detection - scan: secret_detection
-
Select Configure with a merge request
-
This should fail with "Policy exceeds the number of 10 allowed actions"
Related to #472213 (closed)