Add `branch_type` validations
Summary
We are adding branch_type
support to security policies (&9468 (closed)).
At policy creation/update time, we need to validate the following conditions:
branch_type |
Validation |
---|---|
all |
repository exists and has at least one branch |
protected |
repository has at least one protected branch |
default |
repository has a default branch and default branch is protected |
Implementation Plan
A proof-of-concept can be found on the 9468-branch-expressions branch.
-
backend Change
Security::SecurityOrchestrationPolicies::ValidatePolicyService
so that it validates as outlined above. -
backend Add or use the feature flag
security_policies_branch_type
. If disabled, skipbranch_type
validations.
Verification steps
-
Create a project
-
Unprotect the default branch
-
Enable feature flag
security_policies_branch_type
-
Go to
Policies
->New scan execution policy
->.yaml mode
:type: scan_execution_policy name: Test with branch type description: '' enabled: true rules: - type: pipeline branch_type: protected actions: - scan: dast site_profile: '' scanner_profile: '' tags: []
-
Submitting the policy should result in error "Branch types don't match any existing branches"
Edited by Martin Čavoj