Add GraphQL API for policy violations
What does this MR do and why?
This MR exposes the policy violations in GraphQL API.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
How to set up and validate locally
- Create a project
- Create
.gitlab-ci.yml
:include: - template: Jobs/Secret-Detection.gitlab-ci.yml build-job: script: - echo "Compiling the code..." - echo "Compile complete."
- Create a policy:
type: approval_policy name: Sec & Lic description: '' enabled: true rules: - type: scan_finding scanners: [] vulnerabilities_allowed: 0 severity_levels: [] vulnerability_states: - new_needs_triage - new_dismissed - detected - confirmed - dismissed - resolved branch_type: protected - type: license_finding match_on_inclusion_license: true license_types: - BSD 3-Clause "New" or "Revised" License license_states: - newly_detected branch_type: protected - type: any_merge_request branch_type: protected commits: unsigned actions: - type: require_approval approvals_required: 1 role_approvers: - developer
- Create MR with violation:
diff --git a/.env b/.env new file mode 100644 index 0000000000000000000000000000000000000000..ee4bf74ac3b632173dafc09e74ecd68c298bdfa1 --- /dev/null +++ b/.env @@ -0,0 +1 @@ +AWS_TOKEN=AKIAZYONPI3G4JNCCWGQ \ No newline at end of file
- Merge the secret so that it becomes a previously-existing vulnerability. The vulnerability should show up in
Secure -> Vulnerability report
. - Create a new MR, adding a new leaked secret. Example:
diff --git a/.env b/.env index ee4bf74ac3b632173dafc09e74ecd68c298bdfa1..d791cd2180779bf094bd017e07b12c1fad506c2c 100644 --- a/.env +++ b/.env @@ -1 +1,2 @@ -AWS_TOKEN=AKIAZYONPI3G4JNCCWGQ \ No newline at end of file +AWS_TOKEN=AKIAZYONPI3G4JNCCWGQ +AWS_TOKEN2=AKIAZYONPI3G4JNCCWGZ \ No newline at end of file
- Query the data presented in the bot comment via GraphQL API (
/-/graphql-explorer
):
{
project(fullPath: "<project-path>") {
mergeRequest(iid: "<iid>") {
id
title
policyViolations {
policies {
name
reportType
}
newScanFinding {
name
reportType
severity
location
path
}
previousScanFinding {
name
reportType
severity
location
path
}
anyMergeRequest {
name
commits
}
licenseScanning {
license
dependencies
url
}
errors {
error
message
reportType
data
}
comparisonPipelines {
reportType
source
target
}
}
}
}
}
Related to #433406
Edited by Martin Čavoj