<!-- Implementation issues are used break-up a large piece of work into small, discrete tasks that can move independently through the build workflow steps. They're typically used to populate a Feature Epic. Once created, an implementation issue is usually refined in order to populate and review the implementation plan and weight. Example workflow: https://about.gitlab.com/handbook/engineering/development/threat-management/planning/diagram.html#plan --> ## Why are we doing this work In the scope of this issue, we would like to extend the current functionality to support `branch_exceptions`. ## Relevant links * [Epic](https://gitlab.com/groups/gitlab-org/-/epics/9567) * [Discussion about schema](https://gitlab.com/groups/gitlab-org/-/epics/9567#note_1385187614) * [Design Issue](https://gitlab.com/gitlab-org/gitlab/-/issues/387045) ## Non-functional requirements - [x] Documentation: no documentation changes are needed until feature flag is enabled by default - [x] Feature flag: overall feature should be released behind feature flag `security_policies_branch_exceptions`, if FF is disabled we should not consider `branch_exceptions` when evaluating if policy is applicable, - [ ] Performance: - [x] Testing: - Test if current functionality is working with `branch_exceptions` provided - if you can use UI, it should have no impact on current functionality, - Test if policy is not enforced when policy is applied on group level and branch name and full path is matching project's full path and branch name, - Test if policy is not enforced when policy is applied on group level and branch name and full path is matching project's group full path and branch name, - Test if policy is enforced when policy is applied on group level and branch name and full path is matching only project's group full path, but not branch name, - Test if policy is enforced when policy is applied on group level and branch name and full path is matching only project's full path, but not branch name, - Test if policy is enforced when policy is applied on group level and branch name and full path is matching only project's branch name, but not full path, - Test if policy is not enforced when policy is applied on group level and branch name is matching project's branch name, - Test if policy is not enforced when policy is applied on project level and branch name is matching project's branch name, ## Implementation plan - MR1: - ~backend modify `ee/app/services/security/security_orchestration_policies/policy_branches_service.rb` to support branch exceptions defined for both Scan Execution Policies and Scan Result Policies - See: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/126963/diffs <!-- Workflow and other relevant labels # ~"group::" ~"Category:" ~"GitLab Ultimate" Other settings you might want to include when creating the issue. # /assign @ # /epic & --> ## Verification steps 1. Create a new Project 1. Create a new Scan Result Policy in YAML mode and add `branch_exceptions: ["dev", { full_path: "path/to/project", "name": "main" }]` 1. Create a new Scan Execution Policy in YAML mode and add `branch_exceptions: ["dev", { full_path: "path/to/project", "name": "main" }]` 1. Try to create invalid policy with invalid `branch_exceptions`