Skip to content

Add GraphQL API for policy violations

Martin Čavoj requested to merge 433406-add-graphql-api-for-policy-errors-and-violations into master

What does this MR do and why?

This MR exposes the policy violations in GraphQL API.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

CleanShot_2024-04-16_at_14.35.25

How to set up and validate locally

  1. Create a project
  2. Create .gitlab-ci.yml: 
    include:
  - template: Jobs/Secret-Detection.gitlab-ci.yml

build-job:
  script:
    - echo "Compiling the code..."
    - echo "Compile complete."
  3. Create a policy: 
    type: approval_policy
name: Sec & Lic
description: ''
enabled: true
rules:
  - type: scan_finding
    scanners: []
    vulnerabilities_allowed: 0
    severity_levels: []
    vulnerability_states:
      - new_needs_triage
      - new_dismissed
      - detected
      - confirmed
      - dismissed
      - resolved
    branch_type: protected
  - type: license_finding
    match_on_inclusion_license: true
    license_types:
      - BSD 3-Clause "New" or "Revised" License
    license_states:
      - newly_detected
    branch_type: protected
  - type: any_merge_request
    branch_type: protected
    commits: unsigned
actions:
  - type: require_approval
    approvals_required: 1
    role_approvers:
      - developer
  4. Create MR with violation: 
    diff --git a/.env b/.env
new file mode 100644
index 0000000000000000000000000000000000000000..ee4bf74ac3b632173dafc09e74ecd68c298bdfa1
--- /dev/null
+++ b/.env
@@ -0,0 +1 @@
+AWS_TOKEN=AKIAZYONPI3G4JNCCWGQ
\ No newline at end of file
  5. Merge the secret so that it becomes a previously-existing vulnerability. The vulnerability should show up in Secure -> Vulnerability report.
  6. Create a new MR, adding a new leaked secret. Example: 
    diff --git a/.env b/.env
index ee4bf74ac3b632173dafc09e74ecd68c298bdfa1..d791cd2180779bf094bd017e07b12c1fad506c2c 100644
--- a/.env
+++ b/.env
@@ -1 +1,2 @@
-AWS_TOKEN=AKIAZYONPI3G4JNCCWGQ
\ No newline at end of file
+AWS_TOKEN=AKIAZYONPI3G4JNCCWGQ
+AWS_TOKEN2=AKIAZYONPI3G4JNCCWGZ
\ No newline at end of file
  7. Query the data presented in the bot comment via GraphQL API (/-/graphql-explorer):
{
  project(fullPath: "<project-path>") {
    mergeRequest(iid: "<iid>") {
      id
      title
      policyViolations {
        policies {
          name
          reportType
        }
        newScanFinding {
          name
          reportType
          severity
          location
          path
        }
        previousScanFinding {
          name
          reportType
          severity
          location
          path
        }
        anyMergeRequest {
          name
          commits
        }
        licenseScanning {
          license
          dependencies
          url
        }
        errors {
          error
          message
          reportType
          data
        }
        comparisonPipelines {
          reportType
          source
          target
        }
      }
    }
  }
}

Related to #433406

Edited by Martin Čavoj

Merge request reports