Add audit events for security scan profile attach/detach

Nicolae Rotarurequested to merge
nrotaru/586609-add-audit-logs-for-profile-attach-detach into master

What does this MR do and why?

This MR implements audit event logging for security scan profile attach and detach operations in GitLab's security risk management feature. It adds audit events when security scan profiles are attached to or detached from projects, providing visibility into profile management operations.

Changelog: added
EE: true

References

[Backend] Add audit logs when attaching/detachi... (#586609 - closed) • Nicolae Rotaru • 18.9

Parent epic: &19802

New audit events added:

Security Scan Profiles:

  • security_scan_profile_attached_to_project - When a security scan profile is attached to a project
  • security_scan_profile_detached_from_project - When a security scan profile is detached from a project

Key Changes

  1. Service Layer Updates: Modified security scan profile services to generate audit events:

    • Security::ScanProfiles::ProjectAttachService
    • Security::ScanProfiles::ProjectDetachService

  2. GraphQL Mutations: Updated mutations to pass current_user to services:

    • Mutations::Security::ScanProfiles::Attach
    • Mutations::Security::ScanProfiles::Detach

  3. Audit Event Configuration: Added YAML configuration files for the 2 new audit event types in ee/config/audit_events/types/

  4. Documentation: Updated the audit event types documentation to include the new security scan profile events

  5. Test Coverage: Added comprehensive test coverage for all audit events, including verification of event details and proper scoping

Technical Implementation

  • Uses GitLab's standard audit event framework with Gitlab::Audit::Auditor
  • Events are properly scoped at the Project level
  • Uses Gitlab::Audit::EventQueue for batch processing of multiple audit events
  • Includes detailed metadata in audit events (profile ID, name, scan type, project ID, project path)
  • Follows established patterns from !209118 (merged) for audit event creation and queuing
  • Optimized detach operation to use single DELETE ... RETURNING query instead of separate SELECT and DELETE

How to set up and validate locally

Prerequisites

  1. Enable the required feature flag:
Feature.enable(:security_scan_profiles_feature)

Manual Testing

  1. Setup

    • Select a root group where you have at least maintainer permissions
    • Select (or create) two projects under the group

  2. Test Attach Operation

    • Use the securityScanProfileAttach GraphQL mutation to attach a profile to projects:
    mutation {
  securityScanProfileAttach(
    input: {
      securityScanProfileId: "gid://gitlab/Security::ScanProfile/secret_detection"
      projectIds: ["gid://gitlab/Project/<PROJECT_ID>"]
    }
  ) {
    errors
  }
}

  3. Test Detach Operation

    • Use the securityScanProfileDetach GraphQL mutation to detach a profile from projects:
    mutation {
  securityScanProfileDetach(
    input: {
      securityScanProfileId: "<PROFILE_ID>"
      projectIds: ["gid://gitlab/Project/<PROJECT_ID>"]
    }
  ) {
    errors
  }
}

  4. Verify Audit Events

    • Navigate to "Secure -> Audit events" (at group or project level)
    • Verify audit events are created for:
      • Security scan profile attachments
      • Security scan profile detachments
    • Check audit event structure includes proper profile and project details

  5. Console Verification (Optional)

    # Inspect recent audit events
AuditEvent.last(5).each { |event| puts event.details.inspect }

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Nicolae Rotaru

Merge request reports