Add feature flag and scan_result_policies
What does this MR do and why?
Add feature flag and scan_result_policies as part of the orchestration policy configuration.
Currently orchestration policy configuration supports scan_execution_policies and this MR extends it to also support scan_result_policies.
The actual creation of the project approval rules will be implemented as part of !70632 (merged)
Similarly, the synchronization in regards to MR approval rules will be part of !70633 (merged)
Related issues: #339270 (closed) #339271 (closed) #341962 (closed)
Example of a policy yaml:
---
scan_execution_policy:
- name: Enforce DAST in every pipeline
description: This policy enforces pipeline configuration to have a job with DAST
scan
enabled: true
rules:
- type: pipeline
branches:
- master
actions:
- scan: dast
site_profile: Scanner Profile A
scanner_profile: Site Profile B
scan_result_policy:
- name: critical vulnerability CS approvals
description: critical severity level only for container scanning
enabled: true
rules:
- type: scan_finding
branches:
- master
scanners:
- container_scanning
vulnerabilities_allowed: 1
severity_levels:
- critical
- type: scan_finding
branches:
- master
scanners:
- dast
vulnerabilities_allowed: 1
severity_levels:
- info
- type: scan_finding
branches:
- master
scanners:
- container_scanning
vulnerabilities_allowed: 10
severity_levels:
- info
actions:
- type: require_approval
approvals_required: 1
approvers:
- adalberto.dare
Screenshots or screen recordings
These are strongly recommended to assist reviewers and reduce the time to merge your change.
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.