Remove support scan_result_policy type
What does this MR do and why?
Remove support scan_result_policy type
- remove FE support for
type: scan_result_policy
policies - verified
type: scan_result_policy
policies are automatically converted totype: approval_policy
- update tests
Changelog: changed
EE: true
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
- Upload a GitLab Ultimate license
- Create a project
- Create the below file at
.gitlab/security-policies/policy.yml
File
---
scan_execution_policy:
- name: Enforce Secret Detection/SAST/Container Scanning in every default branch pipeline
description: This policy enforces pipeline configuration to have a job with Secret
Detection/SAST/Container Scanning scans for the default branch
enabled: true
rules:
- type: pipeline
branches:
- main
actions:
- scan: secret_detection
- scan: sast
variables:
SAST_EXCLUDED_ANALYZERS: brakeman
- scan: container_scanning
- name: Policy with no description
description: ''
enabled: false
rules:
- type: pipeline
branches:
- "*"
actions:
- scan: sast
scan_result_policy:
- name: Require security approval for critical-only vulnerabilities/
description: Require security approval for critical vulnerability found on the main
branch through container_scanning
enabled: false
rules:
- type: scan_finding
branches:
- master
scanners:
- container_scanning
vulnerabilities_allowed: 5
severity_levels:
- critical
vulnerability_states:
- newly_detected
actions:
- type: require_approval
approvals_required: 1
user_approvers_ids:
- 1677023
- name: License Approval Policy
description: The GitLab legal team requires approval of licenses that have not been
preapproved for use.
enabled: true
rules:
- type: license_finding
branches:
- spooky-stuff
match_on_inclusion: false
license_types:
- 3dfx Glide License
license_states:
- newly_detected
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- maintainer
- owner
approval_settings:
block_unprotecting_branches: false
prevent_pushing_and_force_pushing: true
- name: block_protected_branch_modification setting issue
description: ''
enabled: false
rules:
- type: scan_finding
scanners: []
vulnerabilities_allowed: 0
severity_levels: []
vulnerability_states: []
branch_type: protected
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- owner
approval_settings:
block_protected_branch_modification:
enabled: true
approval_policy:
- name: Prevent Critical Vulnerabilities
description: This is to prevent Critical/High Vulnerabilities from getting merged
enabled: false
actions:
- type: require_approval
approvals_required: 2
role_approvers:
- maintainer
- developer
- owner
rules:
- type: scan_finding
scanners: []
vulnerabilities_allowed: 0
severity_levels:
- critical
vulnerability_states: []
branch_type: protected
approval_settings:
block_branch_modification: true
prevent_pushing_and_force_pushing: false
- name: Licenses - a lot
description: ''
enabled: false
rules:
- type: license_finding
match_on_inclusion: false
license_types:
- 3dfx Glide License
- AMD's plpa_map.c License
- ANTLR Software Rights Notice
- Abstyles License
- Academic Free License v1.1
- Academic Free License v1.2
- Academic Free License v2.0
- Academic Free License v2.1
- Academic Free License v3.0
- Academy of Motion Picture Arts and Sciences BSD
- Adobe Glyph List License
- Adaptive Public License 1.0
- Adobe Postscript AFM License
- Adobe Systems Incorporated Source Code License Agreement
- Affero General Public License v1.0 only
license_states:
- newly_detected
branch_type: protected
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- owner
- maintainer
approval_settings:
block_branch_modification: false
prevent_pushing_and_force_pushing: false
- name: License policy - breaking change
description: ''
enabled: false
rules:
- type: license_finding
match_on_inclusion_license: true
license_types:
- AMD's plpa_map.c License
license_states:
- newly_detected
branch_type: protected
approval_settings:
block_branch_modification: true
prevent_pushing_and_force_pushing: true
- name: Settings only / No Actions
description: ''
enabled: true
rules:
- type: license_finding
branches: []
match_on_inclusion: true
license_types:
- Abstyles License
license_states:
- newly_detected
- detected
approval_settings:
block_protected_branch_modification:
enabled: true
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- maintainer
- developer
- owner
- Navigate to the project => Secure => Policies => Edit policy project => Link current project to itself
- View the policies in the list
- Verify all the scan result policies and approval policies from the file show up as
Merge request approval
forPolicy type
in the list - Click on all the policies
- Verify the drawer shows up appropriately
- Click on the policy
block_protected_branch_modification setting issue
and clickEdit policy
- Verify the user is navigated to the url ending in
/-/security/policies/block_protected_branch_modification+setting+issue/edit?type=approval_policy
- Verify the yaml shows
type: approval_policy
- Without changing anything, click
Configure with a merge request
- Verify in the resulting MR, the policy has no change except that it is moved to the
approval_policy
section - Navigate to the project => Secure => Policies => New policy => Merge request approval policy
- Verify the url ends in
/-/security/policies/new?type=approval_policy
- Verify the yaml shows
type: approval_policy
Related to #457351 (closed)
Edited by Alexander Turinske