Skip to content

Extend scan_finding rules to group level

Zamir Martins requested to merge extend_scan_result_rules_to_group_level into master

What does this MR do and why?

Prior to this there has been the following related changes:

  1. !96563 (merged) Allows the creation of scan result policies from the UI into merge request and into security orchestration policy repository.
  2. !97270 (merged) Adds new columns for both approval project rules and approval merge request rules. It propagates the information from project into merge request approval rules.

This MR allows the creation of project level approval rules from the policy YAML file on a group level.

Related issues: #367713 (closed)

Context

  1. Back in a day, each MR could only have one approval rules of a single type. Therefore there was no grouping by in any form. The synchronization logic was also simpler because it was either a new rule or updating the existing one.
  2. Then the report type scan_finding was introduced and multiple rules could be created. The relationship in terms of approvals changed from a rule perspective into a policy (known as scan result policies) perspective. Therefore a single approval rule was elected to represent the policy through the grouping by orchestration_policy_idx.
  3. More recently, policies have been extended to group level which implies that project can inherit policies not only through other security projects but also inherit the ones set on a group level. To avoid ambiguity security_ochestration_policy_configuration has been associated with the rules so deletion and creation can be performed within a scope. This requires updating the grouping also to consider security_ochestration_policy_configuration in addition to the existing orchestration_policy_idx. The following is a screenshot of a MR with both project and group level policies which in turn each policy has multiple rules.

Screenshots or screen recordings

Screen_Shot_2022-09-21_at_3.23.47_PM

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Zamir Martins

Merge request reports