Add `branch_type` support to scan result policies
What does this MR do and why?
We are adding branch_type
support to security policies (&9468 (closed)).
This MR adds branch_type
support to Scan result policies.
How to set up and validate locally
-
Create a new group
-
Create a new contained project
-
Enable the feature flag for the project:
Feature.enable(:security_policies_branch_type, Project.last)
-
Navigate to
Repository > Branches
and create the following branches:develop
feature-1
-
Navigate to
Settings > Repository
and protect thedevelop
branch -
Navigate to
Settings > Repository
and within theBranch defaults
section, setdevelop
as default branch -
On the group level, navigate to
Security and Compliance > Policies
and create the following scan result policy:type: scan_result_policy name: Container Scanning Default Branch description: '' enabled: true rules: - type: scan_finding branch_type: default scanners: - container_scanning vulnerabilities_allowed: 0 severity_levels: [] vulnerability_states: [] actions: - type: require_approval approvals_required: 1 user_approvers_ids: - 1
-
On the project level, navigate to
Security and Compliance > Policies
and create the following scan result policy:type: scan_result_policy name: Secret Detection Protected Branches description: '' enabled: true rules: - type: scan_finding branch_type: protected scanners: - secret_detection vulnerabilities_allowed: 0 severity_levels: [] vulnerability_states: [] actions: - type: require_approval approvals_required: 1 user_approvers_ids: - 1
-
Open MRs targeting the following branches and verify the expected approval rules:
Target branch Approval rules main
Secret Detection Protected Branches
develop
Secret Detection Protected Branches
,Container Scanning Default Branch
feature-1
none
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #404785 (closed)