Add support for groups in policy scope
What does this MR do and why?
This MR adds the ability to scope policies to groups by extending the policy_scope
option in policies.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
- Create a new Group (
group-a
) - Create 3 new Subgroups (
group-a/sugbroup-1
,group-a/sugbroup-2
,group-a/sugbroup-2/subgroup-2a
) - Copy the ID of the
group-a/subgroup-2
group - For the root group (
group-a
), go to Secure -> Policies and create a new policy (ie. Scan Execution Policy):
name: SEP scoped to subgroup
description: ''
enabled: true
actions:
- scan: container_scanning
variables:
CS_IMAGE: alpine:3.12.0
rules:
- type: pipeline
branch_type: all
policy_scope:
groups:
including:
- id: 228 # ID of the `group-a/subgroup-2` group
- Create 2 projects (
group-a/subgroup-1/project-1
andgroup-a/subgroup-2/subgroup-2a/project-1
), add.gitlab-ci.yml
file:
test-job:
script:
- echo "Test Job!"
- For each project see the pipeline that was created. In
group-a/subgroup-1/project-1
, you should not see thecontainer-scanning-0
job, while ingroup-a/subgroup-2/subgroup-2a/project-1
, you will see this job.
Related to #468384
Edited by Alan (Maciej) Paruszewski