Enforce both scan and pipeline execution policies with missing CI

Alan (Maciej) Paruszewskirequested to merge
482863-solve-bug-when-scan-and-pipeline-execution-policies-are-not-enforced into master

What does this MR do and why?

This MR improves the integration between Pipeline Execution Policies (PEP) and Scan Execution Policies (SEP) when there's no CI configuration present in a project. The main changes are:

  1. Consolidate the handling of Security Policies features into a single class, replacing the separate PipelineExecutionPolicyForced and SecurityPolicyDefault classes.
  2. Ensure that both PEP and SEP are applied correctly when they coexist in a project.
  3. Update the behavior when Auto-DevOps is enabled alongside security policies.
  4. Add documentation to clarify the interaction between PEP and SEP, especially when using the override_ci strategy.

These changes aim to provide a more consistent and intuitive experience when using security policies, addressing some edge cases and potential conflicts between different policy types.

References

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Create a new project without a CI configuration.
  2. Set up a Pipeline Execution Policy for the project (with inject_ci strategy).
  3. Set up a Scan Execution Policy for the project.
  4. Trigger a pipeline and verify that both PEP and SEP jobs are included.
  5. Test with different combinations of PEP and SEP to ensure proper behavior.
  6. Verify behavior with Auto-DevOps enabled and disabled.

Known limitations and future improvements

  • There's an open issue with new projects using scan execution policies where pipelines may fail to start until Auto-DevOps is toggled off and on again. This behavior is present in the current master branch and is not introduced by this MR. It will be addressed separately.
  • The interaction between PEP with override_ci strategy and SEP needs further improvement. A follow-up issue has been created to address this: Pipeline Execution Policy with override_ci stra... (#504434 - closed).

Related to #482863 (closed)

Edited by Alan (Maciej) Paruszewski

Merge request reports