Use policy name for compliance framework policy deduplication

Sashi Kumar Kumaresanrequested to merge
576286-framework-editor-drops-additional-policies-of-same-type-due-to-dedup-by-checksum-order into master

What does this MR do and why?

This MR fixes a bug where security policies linked to a compliance framework were incorrectly deduplicated when multiple policies shared the same name. The fix updates the deduplication logic to consider both the policy name and the security policy management project ID, ensuring policies with the same name from different management projects are not incorrectly merged.

References

Screenshots or screen recordings

Policies

Screenshot_2025-11-27_at_4.31.53_PM

Before After
Screenshot_2025-11-27_at_4.29.01_PM Screenshot_2025-11-27_at_4.21.36_PM

How to set up and validate locally

  1. Create a compliance framework.
  2. In the group security-policies project, define 2 scan execution policies with different name and 1 MR approval policy with the same name as scan execution policy. Policy YAML:
Click to expand 
---
approval_policy:
- name: Security Policy
  description: ''
  enabled: true
  enforcement_type: warn
  policy_scope:
    compliance_frameworks:
    - id: 1
  rules:
  - type: scan_finding
    scanners: []
    vulnerabilities_allowed: 0
    severity_levels: []
    vulnerability_states: []
    branch_type: protected
  actions:
  - type: require_approval
    approvals_required: 1
    role_approvers:
    - maintainer
  - type: send_bot_message
    enabled: true
  approval_settings:
    block_branch_modification: true
    block_group_branch_modification: true
    prevent_pushing_and_force_pushing: true
    prevent_approval_by_author: true
    prevent_approval_by_commit_author: true
    remove_approvals_with_new_commit: true
    require_password_to_approve: false
  fallback_behavior:
    fail: open
scan_execution_policy:
- name: Security Policy
  description: ''
  enabled: true
  policy_scope:
    compliance_frameworks:
    - id: 1
  rules:
  - type: pipeline
    branch_type: default
  - type: pipeline
    branch_type: target_default
    pipeline_sources:
      including:
      - merge_request_event
  actions:
  - scan: secret_detection
    template: latest
    variables:
      SECURE_ENABLE_LOCAL_CONFIGURATION: 'false'
  skip_ci:
    allowed: true
- name: Security Policy 2
  description: ''
  enabled: true
  policy_scope:
    compliance_frameworks:
    - id: 1
  rules:
  - type: pipeline
    branch_type: default
  - type: pipeline
    branch_type: target_default
    pipeline_sources:
      including:
      - merge_request_event
  actions:
  - scan: secret_detection
    template: latest
    variables:
      SECURE_ENABLE_LOCAL_CONFIGURATION: 'false'
  skip_ci:
    allowed: true
  1. Go to Secure → Policies and verify that it shows all 3 with the framework
  2. Go to Compliance Center → Framework → Edit and verify that it shows all 3

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #576286 (closed)

Edited by Sashi Kumar Kumaresan

Merge request reports