Persist per-project schedules for scan execution policies

Martin Cavojrequested to merge
592731-persist-per-project-schedules-for-sep-1 into master

What does this MR do and why?

Persist per-project schedules for scan execution policies

Add the security_scan_execution_project_schedules table and ScanExecutionProjectSchedule model to persist per-project random offsets for scheduled scan execution policies.

The RuleScheduleService now creates a project schedule row on every execution (behind the scan_execution_policy_project_schedule_creation feature flag).

References

  1. 👉 Persist per-project schedules for scan executio... (!227096 - merged)
  2. Add per-project scheduling for scan execution p... (!227101)
  3. Draft: Sync schedules when policy changes (!227102)

Database

.for_rule_schedule 

SELECT "security_policies".* FROM "security_policies" WHERE "security_policies"."type" = 1 AND "security_policies"."security_orchestration_policy_configuration_id" = 309 AND "security_policies"."policy_index" = 0

Plan: https://console.postgres.ai/gitlab/gitlab-production-main/sessions/49791/commands/148219

How to set up and validate locally

  1. In rails console enable the feature flag 
    Feature.enable(:scan_execution_policy_project_schedule_creation)
  2. Create a project with a scan execution policy that runs on schedule 
    scan_execution_policy:
  - name: Secrets on schedule
    description: ''
    enabled: true
    actions:
      - scan: secret_detection
        template: latest
        variables:
          SECURE_ENABLE_LOCAL_CONFIGURATION: 'false'
    rules:
      - type: schedule
        cadence: 0 0 1 * *
        branch_type: default
        timezone: Europe/Zurich
    skip_ci:
      allowed: true
  3. Trigger the schedule pipeline manually via rails console 
    schedule = Security::OrchestrationPolicyRuleSchedule.last
schedule.update_columns(next_run_at: 1.day.ago) && Security::OrchestrationPolicyRuleScheduleWorker.new.perform
  4. Verify that project schedule record was created with schedule.project_schedules
  5. Run the schedule again and verify that it doesn't get re-created again

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #592731

Edited by Martin Cavoj

Merge request reports