Analyze pipeline execution policy configs for enforced scanners

Martin Cavojrequested to merge
498624-account-for-configured-pipeline-execution-policies-when-scan-is-missing-in-merge-request-3 into master

What does this MR do and why?

Analyze pipeline execution policy configs for enforced scanners

  • Add and trigger worker to analyze the config when policy changes
  • Update policy metadata with enforced scanners

References

Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Enable feature flag pipeline_execution_policy_analyze_configs
  2. Create a project SPP
  3. In the project, create policy-ci.yml: 
    include:
  - template: Jobs/Dependency-Scanning.gitlab-ci.yml

policy-test-job:
  stage: test
  script:
    - echo 'Policy test job 1'
  4. Create another project
  5. In this project, go to Secure -> Policies and link the project SPP from step 2. as a policy project
  6. Create a new pipeline execution policy: 
    pipeline_execution_policy:
  - name: Enforced scans
    description: ''
    enabled: true
    pipeline_config_strategy: inject_ci
    content:
      include:
        - project: <path-to-spp-project>
          file: policy-ci.yml
  7. Save the policy
  8. Verify using rails console that the metadata has been updated with enforced_scans: ['dependency_scanning']: 
    Security::Policy.last.metadata
  9. Update the policy to link to another file without scanners included in the template
  10. Verify that the metadata has been updated and enforced_scans is []

Related to #498624 (closed)

Edited by Martin Cavoj

Merge request reports