Add policy toggle unblock_rules_using_scan_execution_policies
What does this MR do and why?
Add a new toggle for approval policy rules to get unblocked when the same scanner is enforced by scan execution policies. It's behind a feature flag unblock_rules_using_execution_policies
References
Please include cross links to any resources that are relevant to this MR This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.
- Depends on Refactor policy rule evaluation and unblock rul... (!168222 - merged)
- Feature flag rollout issue: [Feature flag] Rollout of `unblock_rules_using_... (#498717 - closed)
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Metrics:
How to set up and validate locally
- In rails console enable the feature flag
Feature.enable(:unblock_rules_using_execution_policies) - Create a project
- In the project, create a new Scan execution policy to run
dependency_scanningon every pipeline - Create approval policy to require approvals based on
dependency_scanningscans. Switch to the.yaml modeand addpolicy_tuningsection:policy_tuning: unblock_rules_using_execution_policies: true - Update
README.mdin a MR - Verify that approvals are not required, even though the scans didn't run
- Disable the toggle or feature flag and verify that approvals are required, and policy bot violations appear with "missing scans"
Related to #490092 (closed)
Edited by Martin Cavoj