Add `branch_type` support to Scan result policies
Summary
We are adding branch_type
support to security policies (&9468 (closed)).
Implementation Plan
A proof-of-concept can be found on the 9468-branch-expressions branch.
-
backend Reuse
PolicyBranchesService
introduced by #404774 (closed) to determine target branches for a given policy. -
backend Add or use the feature flag
security_policies_branch_type
. If disabled for an actor,branch_type
rules are skipped from processing.
diff --git ee/app/services/security/security_orchestration_policies/process_scan_result_policy_service.rb
@@ -60,10 +60,12 @@ def create_scan_result_policy(rule)
end
def rule_params(rule, rule_index, action_info, scan_result_policy_read)
+ branches = Security::SecurityOrchestrationPolicies::PolicyBranchesService.new([rule], project).execute
+
protected_branch_ids = if ::Feature.enabled?(:group_protected_branches)
- project.all_protected_branches.get_ids_by_name(rule[:branches])
+ project.all_protected_branches.get_ids_by_name(branches)
else
- project.protected_branches.get_ids_by_name(rule[:branches])
+ project.protected_branches.get_ids_by_name(branches)
end
rule_params = {
@@ -71,7 +73,7 @@ def rule_params(rule, rule_index, action_info, scan_result_policy_read)
approvals_required: action_info[:approvals_required],
name: rule_name(policy[:name], rule_index),
protected_branch_ids: protected_branch_ids,
- applies_to_all_protected_branches: rule[:branches].empty?,
+ applies_to_all_protected_branches: applies_to_all_protected_branches?(rule),
rule_type: :report_approver,
user_ids: users_ids(action_info[:user_approvers_ids], action_info[:user_approvers]),
report_type: report_type(rule[:type]),
@@ -116,6 +118,14 @@ def rule_name(policy_name, rule_index)
"#{policy_name} #{rule_index + 1}"
end
+ def applies_to_all_protected_branches?(rule)
+ return rule[:branch_type] == "protected" if rule.key?(:branch_type)
+
+ rule[:branches] == []
+ end
+
def license_scanning_policies_enabled
@license_scanning_policies_enabled ||= Feature.enabled?(:license_scanning_policies, project)
end
Edited by Dominic Bauer