Skip to content

Fix compliance framework graphql query to return correct policies

Sashi Kumar Kumaresan requested to merge sk/443816-fix-graphql-query into master

What does this MR do and why?

This MR fixes a bug with ComplianceFramework graphql query where it returns all the policies associated with Security::OrchestrationPolicyConfiguration. The fix is to filter the policies by checking if the framework is present in the policy_scope section of the YAML.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Before After
Screenshot_2024-02-29_at_8.07.56_PM Screenshot_2024-02-29_at_8.07.35_PM

How to set up and validate locally

  1. Create new group, enable Security policy scope (Experiment) in Settings under Permissions and group features
  2. Create two compliance frameworks using Security -> Compliance center -> Frameworks
  • First Framework
  • Second Framework
  1. Create three scan execution policies in group, with following config:
---
scan_execution_policy:
- name: demo-scan-1
  description: ''
  enabled: true
  policy_scope:
    compliance_frameworks:
    - id: 375
  rules:
  - type: pipeline
    branches:
    - "*"
  actions:
  - scan: secret_detection
- name: demo-scan-2
  description: ''
  enabled: true
  policy_scope:
    compliance_frameworks:
    - id: 376
  rules:
  - type: pipeline
    branches:
    - "*"
  actions:
  - scan: secret_detection
- name: demo-scan-3
  description: ''
  enabled: true
  policy_scope:
    compliance_frameworks: []
  rules:
  - type: pipeline
    branches:
    - "*"
  actions:
  - scan: secret_detection

(replace 375 and 376 with relevant compliance frameworks ids)

Basically it configures following:

  • demo-scan-1 is linked to compliance framework First Framework
  • demo-scan-2 is linked to compliance framework Second Framework
  • demo-scan-3 is not linked anywhere

Run following graphql query, using graphql-explorer:

{
  namespace(fullPath: "compliance-pipelines") {
    complianceFrameworks {
      nodes {
        id
        scanExecutionPolicies {
          nodes {
            name
            enabled
          }
        }
      }
    }
  }
}

Addresses #443816 (closed)

Edited by Sashi Kumar Kumaresan

Merge request reports

Loading