Skip to content

Check project policy_configuration ids on syncing compliance framework

Sashi Kumar Kumaresan requested to merge sk/439911-fix-comp-framework into master

What does this MR do and why?

This MR fixes a bug with the policy scope experimental feature where if a compliance framework is linked to multiple policies of different groups, the policies are enforced on MRs of projects that do not inherit the corresponding policy.

flowchart TD
    A[Framework A] --> B(Policy A)
    A --> C(Policy B)
    C --> D(Project A)
    B --> E(Project B)

In this case the bug is: MRs in project B have approvals from policy A enforced.

The fix is to check if the security_orchestration_policy_configuration ID is applicable for the project before syncing the approval rules.

Steps to reproduce

  1. Create two subgroups
  2. Create policies within the two subgroups that enforce against the same compliance framework label
  3. Observe that any projects in the group with the label are enforced (when instead the enforcement should filter to only projects within the same subgroup)

Addresses #439911 (closed)

Edited by Sashi Kumar Kumaresan

Merge request reports

Loading