Default scan_execution_policies_action_limit setting to 0

Dominic Bauerrequested to merge
535605-change-scan_execution_policies_action_limit-application-setting-behaviour-to-opt-in into master

What does this MR do and why?

We have previously introduced the scan_execution_policies_action_limit application setting with a default value of 10. This setting lets admins configure the maximum number of actions per scan execution policy. The effect of this setting is gated by a feature flag, since enabling the limit is a breaking change.

We were planning to enable the feature flag for %18.0 but have decided to change our approach so that the limit of 10 actions only takes effect on gitlab.com. To accomplish this, this MR:

  • changes the default value of the scan_execution_policies_action_limit application setting to 0
  • updates the backend action limiting so that actions don't get limited when the setting is 0
  • removes the feature flags since the application setting is now used to opt-in to the new code branch
  • adds a database migration for resetting the setting value in application_settings.security_policies
  • updates the frontend policy overview
    • hard-codes the upcoming action limit of 10
    • makes the banner only show if the hard-coded limit of 10 is exceeded
    • marks policies only as invalid in the UI if the setting is not 0

Once %18.0 ships, we will update the application setting through a Change Request.

References

How to set up and validate locally

  1. (Optional) If you have set the application setting before, reset it to 0 by navigating to Admin > Settings > Security and Compliance > Security policies > Maximum number of actions per scan execution policy

  2. Create a new project, navigate to Secure > Policies and create the following scan execution policy:

scan_execution_policy:
  - name: Policy A
    enabled: true
    rules:
      - type: schedule
        branch_type: default
        cadence: 0 0 * * *
    actions:
      - scan: secret_detection
      - scan: container_scanning

  1. Navigate back to Secure > Policies and verify no banner is displayed and the policy is not marked as invalid

  2. Create the following scan execution policy:

scan_execution_policy:
  - name: Policy B
    enabled: true
    rules:
      - type: schedule
        branch_type: default
        cadence: 0 0 * * *
    actions: # 11 actions
      - scan: secret_detection
      - scan: secret_detection
      - scan: secret_detection
      - scan: secret_detection
      - scan: secret_detection
      - scan: secret_detection
      - scan: secret_detection
      - scan: secret_detection
      - scan: secret_detection
      - scan: secret_detection
      - scan: secret_detection

  1. Navigate back to Secure > Policies and verify the Maximum action limit for scan execution policies will be enabled in 18.0 banner is displayed but no policy is marked as invalid

  2. Set the application setting to 10:

curl -sX PUT -H "PRIVATE-TOKEN: $GITLAB_TOKEN" "http://gdk.test:3000/api/v4/application/settings?scan_execution_policies_action_limit=10"
  1. Navigate back to Secure > Policies and verify only Policy B is marked as invalid

Screenshots

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #535605 (closed)

Edited by Dominic Bauer

Merge request reports