Add support for groups in policy scope (!157083) · Merge requests · GitLab.org / GitLab

Alan (Maciej) Paruszewski requested to merge 468384-add-group-policy-scope-backend into master Jun 21, 2024

What does this MR do and why?

This MR adds the ability to scope policies to groups by extending the policy_scope option in policies.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

Create a new Group (group-a)
Create 3 new Subgroups (group-a/sugbroup-1, group-a/sugbroup-2, group-a/sugbroup-2/subgroup-2a)
Copy the ID of the group-a/subgroup-2 group
For the root group (group-a), go to Secure -> Policies and create a new policy (ie. Scan Execution Policy):

name: SEP scoped to subgroup
description: ''
enabled: true
actions:
- scan: container_scanning
  variables:
    CS_IMAGE: alpine:3.12.0
rules:
- type: pipeline
  branch_type: all
policy_scope:
  groups:
    including:
    - id: 228 # ID of the `group-a/subgroup-2` group

Create 2 projects (group-a/subgroup-1/project-1 and group-a/subgroup-2/subgroup-2a/project-1), add .gitlab-ci.yml file:

test-job:
    script:
    - echo "Test Job!"

For each project see the pipeline that was created. In group-a/subgroup-1/project-1, you should not see the container-scanning-0 job, while in group-a/subgroup-2/subgroup-2a/project-1, you will see this job.

Related to #468384

Edited Jun 27, 2024 by Alan (Maciej) Paruszewski

Add support for groups in policy scope

What does this MR do and why?

MR acceptance checklist

How to set up and validate locally

Merge request reports