Extend scan_finding rules to group level
What does this MR do and why?
Prior to this there has been the following related changes:
- !96563 (merged) Allows the creation of scan result policies from the UI into merge request and into security orchestration policy repository.
- !97270 (merged) Adds new columns for both approval project rules and approval merge request rules. It propagates the information from project into merge request approval rules.
This MR allows the creation of project level approval rules from the policy YAML
file on a group level.
Related issues: #367713 (closed)
Context
- Back in a day, each MR could only have one approval rules of a single type. Therefore there was no grouping by in any form. The synchronization logic was also simpler because it was either a new rule or updating the existing one.
- Then the report type
scan_finding
was introduced and multiple rules could be created. The relationship in terms of approvals changed from a rule perspective into a policy (known as scan result policies) perspective. Therefore a single approval rule was elected to represent the policy through the grouping byorchestration_policy_idx
. - More recently, policies have been extended to group level which implies that project can inherit policies not only through other security projects but also inherit the ones set on a group level. To avoid ambiguity security_ochestration_policy_configuration has been associated with the rules so deletion and creation can be performed within a scope. This requires updating the grouping also to consider security_ochestration_policy_configuration in addition to the existing
orchestration_policy_idx
. The following is a screenshot of a MR with both project and group level policies which in turn each policy has multiple rules.
Screenshots or screen recordings
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Zamir Martins