Requeue backfill security policies background migration

Sashi Kumar Kumaresanrequested to merge
sk/464033-requeue-migration into master

What does this MR do and why?

This MR requeues the BackfillSecurityPolicies background migration which was failed due to text limit constraint in description. The constraint was removed with Remove description text limit on security_policies (!172933 - merged)

References

Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to setup locally?

  • Create a group (read-model-migration) and create multiple sub-groups and projects
  • Disable security_policies_sync_group feature flag (Feature.disable(:security_policies_sync_group))
  • Create a project (read-model-migration/read-model-migration-security-policy-project) within the group and create .gitlab/security-policies/policy.yml file with:
---
approval_policy:
- name: MRAP - Security Scan
  description: ''
  enabled: true
  policy_scope:
    projects:
      excluding: []
  rules:
  - type: scan_finding
    scanners: []
    vulnerabilities_allowed: 0
    severity_levels: []
    vulnerability_states: []
    branch_type: protected
  actions:
  - type: require_approval
    approvals_required: 1
    role_approvers:
    - developer
  - type: send_bot_message
    enabled: true
  approval_settings:
    block_branch_modification: true
    block_group_branch_modification: true
    prevent_pushing_and_force_pushing: true
    prevent_approval_by_author: true
    prevent_approval_by_commit_author: true
    remove_approvals_with_new_commit: true
    require_password_to_approve: false
  fallback_behavior:
    fail: open
- name: MRAP - License Scan
  description: ''
  enabled: true
  policy_scope:
    projects:
      excluding: []
  rules:
  - type: license_finding
    match_on_inclusion_license: true
    license_types:
    - Apple MIT License
    license_states:
    - newly_detected
    branch_type: protected
  actions:
  - type: require_approval
    approvals_required: 1
    role_approvers:
    - developer
  - type: send_bot_message
    enabled: true
  approval_settings:
    block_branch_modification: true
    block_group_branch_modification: true
    prevent_pushing_and_force_pushing: true
    prevent_approval_by_author: true
    prevent_approval_by_commit_author: true
    remove_approvals_with_new_commit: true
    require_password_to_approve: false
  fallback_behavior:
    fail: open
- name: MRAP - any_merge_request
  description: ''
  enabled: true
  policy_scope:
    projects:
      excluding: []
  rules:
  - type: any_merge_request
    branch_type: protected
    commits: unsigned
  actions:
  - type: require_approval
    approvals_required: 1
    role_approvers:
    - developer
  - type: send_bot_message
    enabled: true
  approval_settings:
    block_branch_modification: true
    block_group_branch_modification: true
    prevent_pushing_and_force_pushing: true
    prevent_approval_by_author: true
    prevent_approval_by_commit_author: true
    remove_approvals_with_new_commit: true
    require_password_to_approve: false
  fallback_behavior:
    fail: open
scan_execution_policy:
- name: SEP - Pipeline
  description: ''
  enabled: true
  policy_scope:
    projects:
      excluding: []
  rules:
  - type: pipeline
    branches:
    - "*"
  actions:
  - scan: secret_detection
- name: SEP - Schedule
  description: ''
  enabled: true
  policy_scope:
    projects:
      excluding: []
  rules:
  - type: schedule
    cadence: 0 0 * * *
    branch_type: default
  actions:
  - scan: secret_detection
pipeline_execution_policy:
- name: PEP - Inject
  description: ''
  enabled: true
  pipeline_config_strategy: inject_ci
  content:
    include:
    - project: read-model-migration/read-model-migration-security-policy-project
      file: basic.yml
vulnerability_management_policy:
- name: Vulnerability management policy
  description: ''
  enabled: true
  rules:
  - type: no_longer_detected
    scanners: []
    severity_levels:
    - critical
    - high
  actions:
  - type: auto_resolve
  • Create basic.yml (used by the pipeline execution policy) in the policy project with:
stages:
  - .pipeline-policy-pre
  - build
  - custom
  - test
  - .pipeline-policy-post

compliance-job:
  stage: .pipeline-policy-pre
  script:
    - echo "Compliance"
policy build job:
  stage: build
  script:
    - echo "Build"
policy test job:
  stage: test
  script:
    - echo "Test"
policy custom job:
  stage: custom
  script:
    - echo "Custom"

duplicate-job:
  stage: test
  script:
    - echo "Duplicate job"
  • Assign this project as the security policy project by going to Secure -> Policies -> Edit Policy Project and select the created project
  • Execute the migration by doing bundle exec rake db:migrate
  • Verify that the policies are created by doing:
Security::Policy.all.map(&:name)
Security::Policy.all.map(&:projects)
Security::ApprovalPolicyRule.all
Security::ApprovalPolicyRule.all.map(&:projects)
Security::ScanExecutionPolicyRule.all
Security::VulnerabilityManagementPolicyRule.all
Edited by Sashi Kumar Kumaresan

Merge request reports