Skip to content

Add vulnerability_attributes to security policy rules

What does this MR do and why?

This adds a new field vulnerability_attributes to scan execution policy rules. The goal is to allow users to create approval rules based on this attributes. Some examples:

Require approval only if vulnerability findings are not false-positive

Scenario: If a finding is false-positive there is no need to require approval

Attributes definition:

vulnerability_attributes:
  false_positive: false

Full security policy example yaml:

scan_result_policy:
- name: test
  description: ''
  enabled: true
  rules:
  - type: scan_finding
    branches: []
    scanners:
    - secret_detection
    vulnerabilities_allowed: 0
    severity_levels: []
    vulnerability_states: []
    vulnerability_attributes:
      false_positive: true
  actions:
  - type: require_approval
    approvals_required: 1
    user_approvers_ids:
    - 44
Require approval if vulnerability findings are not false-positive and there is a fix available

Scenario:

  • If a finding is false-positive there is no need to require approval.
  • If the vulnerability can't be fixed, there is no need to require approval.

Attributes definition:

vulnerability_attributes:
  false_positive: false
  fix_available: true

Full security policy example yaml:

scan_result_policy:
- name: test
  description: ''
  enabled: true
  rules:
  - type: scan_finding
    branches: []
    scanners:
    - secret_detection
    vulnerabilities_allowed: 0
    severity_levels: []
    vulnerability_states: []
    vulnerability_attributes:
      false_positive: false
      fix_available: true
  actions:
  - type: require_approval
    approvals_required: 1
    user_approvers_ids:
    - 44

This MR adds the JSON schemas and logic to define those rules in the security policy YAML. It does not enforce the rules yet. The new rules are also not shown on the frontend or documentation, so it should be safe to introduce it without a feature flag.

Screenshots or screen recordings

How to set up and validate locally

  1. Switch to the 399117-add-security-policy-vulnerability_attributes branch.
  2. Run migrations bin/rails db:migrate.
  3. Create a new policy
    1. Create a project
    2. left sidebar, select Security & Compliance and Policies.
    3. Select New Policy.
    4. Select Scan result policy.
    5. For Name choose any name.
    6. For Rules choose "when Security Scan Secret Detection runs against the All protected branches and find(s). Any vulnerabilities that match all of the following criteria:".
    7. In Actions Select "Require 1 approval from:".
    8. Select any user that is not you.
    9. Switch to .yaml mode.
    10. Add attributes below vulnerability_states: []
    vulnerability_attributes:
      false_positive: false
      fix_available: true
    1. Alternatively to steps 5 to 10, you can switch to .yaml mode and copy the Policy example below. And replace the user_approvers_ids with a valid user ID that has access to the project.
    2. Select Configure with a merge request
    3. Merge the MR
  4. Verify the policy and approval rule was created.
    1. Copy the project ID from the project you created in step 3.1
    2. Start a rails console rails console
    3. Find the scan result policy Project.find(82).security_orchestration_policy_configuration.scan_result_policy_reads.last
    4. Verify that vulnerability_attributes matches { 'false_positive' => false, 'fix_available' => true }.
    5. Find the approval project rule Project.find(82).approval_rules.last.vulnerability_attributes
    6. Verify that vulnerability_attributes matches { 'false_positive' => false, 'fix_available' => true }.
Policy example
type: scan_result_policy
name: test
description: ''
enabled: true
rules:
  - type: scan_finding
    branches: []
    scanners: []
    vulnerabilities_allowed: 0
    severity_levels: []
    vulnerability_states: []
    vulnerability_attributes:
      false_positive: false
      fix_available: true
actions:
  - type: require_approval
    approvals_required: 1
    user_approvers_ids:
      - 1

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #399117 (closed)

Edited by Andy Schoenen

Merge request reports

Loading