Limit scan execution policy schedule `actions`

Dominic Bauerrequested to merge
472214-enforce-maximum-sep-action-count-2 into master

What does this MR do and why?

Limits the number of actions per scan execution policy of type: schedule.

References

#472214 (closed)

How to set up and validate locally

  1. Ensure the feature flag is disabled:
echo "Feature.disable(:scan_execution_policy_action_limit)" | rails c
  1. Create a new project, navigate to Secure > Policies and create the following scan execution policy:
scan_execution_policy:
  - name: Test policy
    enabled: true
    rules:
      - type: schedule
        branch_type: default
        cadence: 0 0 * * *
    actions:
      - scan: secret_detection
      - scan: container_scanning
  1. Set the application setting to 1:
curl -sX PUT -H "PRIVATE-TOKEN: $GITLAB_TOKEN" "http://gdk.test:3000/api/v4/application/settings?scan_execution_policies_action_limit=1"
  1. Enable the feature flag:
echo "Feature.enable(:scan_execution_policy_action_limit)" | rails c
  1. Execute the resulting schedule immediately:
schedule = Security::OrchestrationPolicyRuleSchedule.last!
project_id = schedule.project_id
user_id = schedule.user_id

Security::ScanExecutionPolicies::RuleScheduleWorker.new.perform(project_id, user_id, schedule.id)
  1. Navigate to Build > Pipelines and verify that the resulting pipeline has only a single job, secret-detection-0.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #472214 (closed)

Edited by Dominic Bauer

Merge request reports