Draft: POC security policy integration with security attributes

Marcos Rocharequested to merge
mc_rocha-poc-security-attributes-policy-589342 into master

What does this MR do and why?

POC security policy integration with security attributes

References

Related to: #589342 (closed)

Screenshots or screen recordings

Before After

How to set up and validate locally

  1. Create a new project
  2. Add a .gitlab-ci.yml file with the content:
include:
- template: Jobs/SAST.gitlab-ci.yml
  1. Go to Secure > Security Configuration
  2. Select Security attributes
  3. Click on Edit project security attributes
  4. Select Mission Critical
  5. Go to Secure > Policies
  6. Click on New policy
  7. Select Merge request approval policy
  8. Create a policy to block new vulnerabilities on Mission Critical projects
  9. Get the security_attribute id
category = Security::Category.where(template_type: "business_impact")
Security::Attribute.where(security_category: category).where(name: "Mission Critical").first
  1. Create a policy like
approval_policy:
  - name: Test
    description: ''
    enabled: true
    rules:
      - type: scan_finding
        branches: []
        vulnerabilities_allowed: 0
        severity_levels: []
        vulnerability_states: []
        scanners: []
    policy_scope:
      business_impact:
        including:
          - id: 1
    actions:
      - type: require_approval
        approvals_required: <security_attribute_id>
        role_approvers:
          - developer
  1. Click on Create new project with the new policy
  2. Merge the MR to add the policy
  3. Go back to the project created in step 1
  4. Create a MR adding the file vuln.rb with the content
class RunScript
  def run_script
    system("cat #{params[:path]}") 
  end
end

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Merge request reports