Simplify logic to exclude rules in Scan Execution Policies
What does this MR do and why?
This MR simplifies the logic that was used previously to remove rules that potentially could disable selected scans in jobs enforced by Security Policies. As we have modified how variables are working with Scan Execution Policies, we can now simplify that logic by removing the code responsible for it. At the same time we can remove previously added feature flag that handled that.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
- Create new Project
- Create new Scan Execution Policy (Secure -> Policies -> Create new -> Select Scan Execution Policy)
- Select SAST/DS/Secret Detection and SAST IaC.
- Prepare project that would allow you to test it all (add Gemfile, some random *.rb file, file with some secret)
- By manipulating these variables on Project/Group level, etc., try to disable selected jobs:
SECRET_DETECTION_HISTORIC_SCANSECRET_DETECTION_EXCLUDED_PATHSDS_EXCLUDED_PATHSDS_EXCLUDED_ANALYZERSDEFAULT_SAST_EXCLUDED_PATHSSAST_EXCLUDED_PATHSSAST_EXCLUDED_ANALYZERSSAST_EXCLUDED_PATHSSAST_EXCLUDED_ANALYZERS
- Try to set same variables on policy level -> this should allow you to manage jobs normally.
Related to #479820
Merge request reports
Activity
assigned to @alan
added Category:Security Policy Management devopsgovern groupsecurity policies labels and removed devopssecure groupstatic analysis labels
added pipelinetier-1 label
mentioned in issue #479820
- A deleted user
added backend label
2 Warnings 
The master pipeline status page reported failures in - graphql-verify
- feature-flags-usage
- haml-lint ee
- haml-lint
- static-verification-with-database
- static-analysis 2/2
- static-analysis 1/2
- graphql-schema-dump
- setup-test-env
- compile-test-assets
- qa:selectors
- rails-production-server-boot-puma-cng
- rails-production-server-boot-puma-example
If these jobs fail in your merge request with the same errors, then they are not caused by your changes.
Please check for any on-going incidents in the incident issue tracker or in the#master-brokenSlack channel.This merge request does not refer to an existing milestone. 1 Message 
This merge request adds or changes documentation files. A review from the Technical Writing team before you merge is recommended. Reviews can happen after you merge. Documentation review
The following files require a review from a technical writer:
-
doc/user/application_security/policies/scan_execution_policies.md(Link to current live version)
The review does not need to block merging this merge request. See the:
-
Metadata for the
*.mdfiles that you've changed. The first few lines of each*.mdfile identify the stage and group most closely associated with your docs change. - The Technical Writer assigned for that stage and group.
- Documentation workflows for information on when to assign a merge request for review.
Reviewer roulette
Category Reviewer Maintainer backend @lwanko(UTC+2, 6 hours ahead of author)
@DylanGriffith(UTC+10, 14 hours ahead of author)
Please refer to documentation page for guidance on how you can benefit from the Reviewer Roulette, or use the GitLab Review Workload Dashboard to find other available reviewers.
If needed, you can retry the
danger-reviewjob that generated this comment.Generated by
Edited by Ghost User
Resolved by Sashi Kumar Kumaresan- Last reply by Sashi Kumar Kumaresan
added 1 commit
- a400d860 - Simplify logic to exclude rules in Scan Execution Policies
- A deleted user
added documentation label
removed documentation label
requested review from @mcavoj
removed review request for @mcavoj
added pipeline:mr-approved label
added pipelinetier-2 label and removed pipelinetier-1 label
