Enhance policy validation to consider scan result (!80555) · Merge requests · GitLab.org / GitLab

Zamir Martins requested to merge enhance_validation_to_consider_scan_result_policy into master Feb 12, 2022

What does this MR do and why?

Enhance policy validation to consider scan result policy as its rule can have no branches. It also clears up a misunderstanding in a comment.

Related issue: #352307 (closed)

How to set up and validate locally

Enable scan_result_policy feature flag
Create a security project as described in the docs
Create a new scan result policy with the project owner
Run the following mutation with parameters similar to:

mutation updatePolicy($projectPath: ID!, $mode: MutationOperationMode = APPEND, $name: String, $policyYaml: String!) {
  scanExecutionPolicyCommit(
    input: {name: $name, projectPath: $projectPath, operationMode: $mode, policyYaml: $policyYaml}
  ) {
    branch
    errors
    __typename
  }
}
Query Variables
{
    "mode": "REPLACE",
    "name": "secondary CS approvals",
    "projectPath": "test-group1/part-of-the-test-group",
    "policyYaml": "type: scan_result_policy\nname: secondary CS approvals\ndescription: secondary only for container scanning\nenabled: true\nrules:\n  - type: scan_finding\n    branches: []\n    scanners:\n      - container_scanning\n    vulnerabilities_allowed: 1\n    severity_levels:\n      - critical\n    vulnerability_states:\n      - newly_detected\nactions:\n  - type: require_approval\n    approvals_required: 1\n    user_approvers_ids:\n      - 11\n"
}

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Feb 12, 2022 by Zamir Martins

Enhance policy validation to consider scan result

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports