Add vulnerability_attributes to security policy rules
What does this MR do and why?
This adds a new field vulnerability_attributes to scan execution policy rules. The goal is to allow users to create approval rules based on this attributes. Some examples:
Require approval only if vulnerability findings are not false-positive
Scenario: If a finding is false-positive there is no need to require approval
Attributes definition:
vulnerability_attributes:
false_positive: falseFull security policy example yaml:
scan_result_policy:
- name: test
description: ''
enabled: true
rules:
- type: scan_finding
branches: []
scanners:
- secret_detection
vulnerabilities_allowed: 0
severity_levels: []
vulnerability_states: []
vulnerability_attributes:
false_positive: true
actions:
- type: require_approval
approvals_required: 1
user_approvers_ids:
- 44Require approval if vulnerability findings are not false-positive and there is a fix available
Scenario:
- If a finding is false-positive there is no need to require approval.
- If the vulnerability can't be fixed, there is no need to require approval.
Attributes definition:
vulnerability_attributes:
false_positive: false
fix_available: trueFull security policy example yaml:
scan_result_policy:
- name: test
description: ''
enabled: true
rules:
- type: scan_finding
branches: []
scanners:
- secret_detection
vulnerabilities_allowed: 0
severity_levels: []
vulnerability_states: []
vulnerability_attributes:
false_positive: false
fix_available: true
actions:
- type: require_approval
approvals_required: 1
user_approvers_ids:
- 44This MR adds the JSON schemas and logic to define those rules in the security policy YAML. It does not enforce the rules yet. The new rules are also not shown on the frontend or documentation, so it should be safe to introduce it without a feature flag.
Screenshots or screen recordings
How to set up and validate locally
- Switch to the
399117-add-security-policy-vulnerability_attributesbranch. - Run migrations
bin/rails db:migrate. - Create a new policy
- Create a project
- left sidebar, select
Security & ComplianceandPolicies. - Select
New Policy. - Select
Scan result policy. - For Name choose any name.
- For Rules choose "when Security Scan Secret Detection runs against the All protected branches and find(s). Any vulnerabilities that match all of the following criteria:".
- In Actions Select "Require 1 approval from:".
- Select any user that is not you.
- Switch to
.yamlmode. - Add attributes below
vulnerability_states: []
vulnerability_attributes: false_positive: false fix_available: true- Alternatively to steps 5 to 10, you can switch to
.yamlmode and copy the Policy example below. And replace theuser_approvers_idswith a valid user ID that has access to the project. - Select Configure with a merge request
- Merge the MR
- Verify the policy and approval rule was created.
- Copy the project ID from the project you created in step 3.1
- Start a rails console
rails console - Find the scan result policy
Project.find(82).security_orchestration_policy_configuration.scan_result_policy_reads.last - Verify that
vulnerability_attributesmatches{ 'false_positive' => false, 'fix_available' => true }. - Find the approval project rule
Project.find(82).approval_rules.last.vulnerability_attributes - Verify that
vulnerability_attributesmatches{ 'false_positive' => false, 'fix_available' => true }.
Policy example
type: scan_result_policy
name: test
description: ''
enabled: true
rules:
- type: scan_finding
branches: []
scanners: []
vulnerabilities_allowed: 0
severity_levels: []
vulnerability_states: []
vulnerability_attributes:
false_positive: false
fix_available: true
actions:
- type: require_approval
approvals_required: 1
user_approvers_ids:
- 1MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #399117 (closed)