Update security policies when project's compliance framework is updated
What does this MR do and why?
This MR refreshes the security policies for a project when a compliance framework is assigned/unassigned to a project. This functionality is achieved by publishing a new event (Projects::ComplianceFrameworkChangedEvent
).
Addresses #428491 (closed)
Screenshot
Group with projects
Policy
Project with Framework
Project without Framework
How to set up and validate locally
- Create a top level group and create a compliance framework
- Create 2 projects within the group
- Create a scan result policy with policy_scope and add the ID of the compliance framework:
type: scan_result_policy
name: SRP
description: ''
enabled: true
policy_scope:
compliance_frameworks:
- id: 5
rules:
- type: scan_finding
scanners: []
vulnerabilities_allowed: 0
severity_levels: []
vulnerability_states: []
branch_type: protected
actions:
- type: require_approval
approvals_required: 1
group_approvers_ids:
- 22
- Assign the compliance framework to one of the projects in the group (
Settings
->General
->Compliance Frameworks
) - Create an MR that updates the README in both the projects and verify that the project with compliance framework assigned requires an approval and the project without compliance framework does not require approval
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Sashi Kumar Kumaresan