Add Internal Inventory checks

Andrew Jungrequested to merge
524726/gitlab-internal-inventory-controls into master

What does this MR do and why?

Add Internal Inventory checks

  • Adds checks for:
    • push_protection_enabled
    • project_marked_for_deletion
    • project_visibility_not_internal
    • project_archived
    • default_branch_users_can_merge
    • merge_request_commit_reset_approvals
    • project_visibility_not_public
    • package_hunter_no_findings_untriaged
    • project_pipelines_not_public
    • vulnerabilities_slo_days_over_threshold
    • merge_requests_approval_rules_prevent_editing
    • project_user_defined_variables_restricted
    • merge_requests_require_code_owner_approval
    • cicd_job_token_scope_enabled

Changelog: added EE: true

References

Screenshots or screen recordings

Before After

How to set up and validate locally

(Example with one of the controls)

  • bundle exec rake compliance_management:control_schema:generate to run the new task
  • For project_archived work:
  1. Create a compliance framework for your project:
mutation createComplianceFramework {
  createComplianceFramework(
    input: {
      namespacePath: "flightjs/Flight",
      params: {
        name: "SSO Framework", 
        description: "Framework for security compliance requirements", 
        color: "#0000FF"
      }
    }
  ) {
    framework {
      id
      name
      description
      color
    }
    errors
  }
}
  1. Create a compliance requirement for using the framework ID from Step 1:
mutation createComplianceRequirement {
  createComplianceRequirement(
    input: {
      complianceFrameworkId: "gid://gitlab/ComplianceManagement::Framework/<FRAMEWORK_ID>",
      params: {
        name: "Custom req 1",
        description: "some description"
      },
    controls: []
    }) {
    errors
    requirement {
      id
      name
      description
    }
  }
}
  1. Create a control using the requirement ID from Step 2:
mutation createComplianceRequirementControl {
  createComplianceRequirementsControl(
    input: {
      complianceRequirementId: "gid://gitlab/ComplianceManagement::ComplianceFramework::ComplianceRequirement/<REQUIREMENT_ID>",
      params: {
        name: "project_archived",
        expression: "{\"operator\":\"=\",\"field\":\"project_archived\",\"value\":true}"
      }
    }) {
    errors
    requirementsControl {
      id
      name
      expression
    }
  }
}
  1. Open gdk rails console:

project = Project.find(PROJECT_ID) # The project used in Step 1)`
control = ComplianceManagement::ComplianceFramework::ComplianceRequirementsControl.find(CONTROL_ID) # ID returned from Step 3

ComplianceManagement::ComplianceRequirements::ExpressionEvaluator.new(control, project).evaluate

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Merge request reports