Add support for atomic scanner rule criteria in MR approval policies

Sashi Kumar Kumaresanrequested to merge
584704-atomic-scanner-1 into master

What does this MR do and why?

  • Add support for atomic scanner rule criteria in approval policies, allowing per-scanner overrides of vulnerability_attributes, severity_levels, vulnerabilities_allowed, and vulnerability_states
  • Introduce ScannerConfig PORO and consolidate scanner parsing logic into the existing Rule PORO
  • Update JSON schemas (security_orchestration_policy.json, approval_policy_rule_content.json) to accept scanners as either legacy strings or scanner_with_attributes objects via oneOf

Policy YAML

This change is fully backward compatible and non-breaking. The existing legacy string format for scanners (e.g., scanners: [sast, dependency_scanning]) continues to work exactly as before. The new object format (e.g., scanners: [{type: sast, severity_levels: [critical]}]) is additive and opt-in. Mixed formats are also supported — string and object scanners can coexist in the same array. When the atomic_scanner_rule_criteria feature flag is disabled (default), all scanners fall back to rule-level attributes regardless of format, preserving current behavior. When enabled, per-scanner attributes take precedence with rule-level values as fallbacks

Before After 
rules:
  - type: scan_finding
    branches:
      - main
    scanners:
      - sast
      - dependency_scanning
      - container_scanning
    severity_levels:
      - critical
      - high
    vulnerabilities_allowed: 0
    vulnerability_states:
      - detected
      - confirmed
    vulnerability_attributes:
      fix_available: true
      known_exploited: true
 
rules:
  - type: scan_finding
    branches:
      - main
    scanners:
      - type: sast
        severity_levels:
          - critical
          - high
        vulnerabilities_allowed: 0
        vulnerability_states:
          - detected
        vulnerability_attributes:
          fix_available: true
      - type: dependency_scanning
        severity_levels:
          - critical
          - high
          - medium
        vulnerabilities_allowed: 2
        vulnerability_states:
          - detected
          - confirmed
        vulnerability_attributes:
          known_exploited: true
          epss_score:
            operator: greater_than
            value: 0.7
      - type: container_scanning
        severity_levels:
          - critical
        vulnerabilities_allowed: 0
        vulnerability_states:
          - detected
          - confirmed
        vulnerability_attributes:
          fix_available: true
          enrichment_data_unavailable:
            action: block
    severity_levels:
      - critical
      - high
    vulnerabilities_allowed: 0
    vulnerability_states:
      - detected
      - confirmed

Changes

This is split into 3 MRs:

1️⃣ ➡️ Add support for atomic scanner rule criteria in... (!224785 - merged)
2️⃣ Add grouped services for atomic scanner criteria (!224788)
3️⃣ Use grouped services for atomic scanner criteria (!224789)

References

Screenshots or screen recordings

Before After

How to set up and validate locally

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #584704

Edited by Sashi Kumar Kumaresan

Merge request reports