Skip to content

Add `branch_type` support to scan result policies

What does this MR do and why?

We are adding branch_type support to security policies (&9468 (closed)).

This MR adds branch_type support to Scan result policies.

How to set up and validate locally

  • Create a new group

  • Create a new contained project

  • Enable the feature flag for the project:

    Feature.enable(:security_policies_branch_type, Project.last)
  • Navigate to Repository > Branches and create the following branches:

    • develop
    • feature-1
  • Navigate to Settings > Repository and protect the develop branch

  • Navigate to Settings > Repository and within the Branch defaults section, set develop as default branch

  • On the group level, navigate to Security and Compliance > Policies and create the following scan result policy:

    type: scan_result_policy
    name: Container Scanning Default Branch
    description: ''
    enabled: true
    rules:
    - type: scan_finding
      branch_type: default
      scanners:
      - container_scanning
      vulnerabilities_allowed: 0
      severity_levels: []
      vulnerability_states: []
    actions:
    - type: require_approval
      approvals_required: 1
      user_approvers_ids:
      - 1
  • On the project level, navigate to Security and Compliance > Policies and create the following scan result policy:

    type: scan_result_policy
    name: Secret Detection Protected Branches
    description: ''
    enabled: true
    rules:
    - type: scan_finding
      branch_type: protected
      scanners:
      - secret_detection
      vulnerabilities_allowed: 0
      severity_levels: []
      vulnerability_states: []
    actions:
    - type: require_approval
      approvals_required: 1
      user_approvers_ids:
      - 1
  • Open MRs targeting the following branches and verify the expected approval rules:

    Target branch Approval rules
    main Secret Detection Protected Branches
    develop Secret Detection Protected Branches , Container Scanning Default Branch
    feature-1 none

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #404785 (closed)

Edited by Dominic Bauer

Merge request reports

Loading