PoC for Flexible Scan Execution Policy Trigger Conditions

Alan (Maciej) Paruszewskirequested to merge
504973-add-target-default-protected-branch-types-to-sep into master

What does this MR do and why?

This MR implements a proof of concept for flexible trigger conditions in Scan Execution Policies. It adds two key enhancements:

  1. Pipeline Source Filtering: Allows policies to be applied selectively based on pipeline source (push, web, API, merge request event, etc.)
  2. Extended Branch Type Targeting: Adds two new branch types for more granular policy application:
    • target_default: Targets source branches with open merge requests to the default branch
    • target_protected: Targets source branches with open merge requests to protected branches

These enhancements provide more precise control over when security scans are executed, allowing teams to optimize scan coverage while reducing unnecessary scans.

Implementation Details

  • Added pipeline_source parameter to policy evaluation methods
  • Extended branch type matching to support the new target_default and target_protected types
  • Added logic to identify source branches from open merge requests targeting specific branch types
  • Updated JSON schemas to include the new branch types and pipeline source filtering options
  • Added method to check if a policy applies to a specific pipeline source

References

How to set up and validate locally

  1. Create or modify a scan execution policy to include the new trigger conditions:

    rules:
  - type: pipeline
    branch_type: target_protected
    pipeline_source:
      including:
        - merge_request_event
        - web

    Insert at cursor

  2. Create a merge request targeting a protected branch

  3. Verify that the scan execution policy is applied correctly based on the pipeline source and branch type

Edited by Alan (Maciej) Paruszewski

Merge request reports