Skip to content

Remove support scan_result_policy type

Alexander Turinske requested to merge 457351-remove-scan-result-policy-type into master

What does this MR do and why?

Remove support scan_result_policy type

  • remove FE support for type: scan_result_policy policies
  • verified type: scan_result_policy policies are automatically converted to type: approval_policy
  • update tests

Changelog: changed

EE: true

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

convert_scan_result_policy

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Upload a GitLab Ultimate license
  2. Create a project
  3. Create the below file at .gitlab/security-policies/policy.yml
File
---
scan_execution_policy:
- name: Enforce Secret Detection/SAST/Container Scanning in every default branch pipeline
  description: This policy enforces pipeline configuration to have a job with Secret
    Detection/SAST/Container Scanning scans for the default branch
  enabled: true
  rules:
  - type: pipeline
    branches:
    - main
  actions:
  - scan: secret_detection
  - scan: sast
    variables:
      SAST_EXCLUDED_ANALYZERS: brakeman
  - scan: container_scanning
- name: Policy with no description
  description: ''
  enabled: false
  rules:
  - type: pipeline
    branches:
    - "*"
  actions:
  - scan: sast
scan_result_policy:
- name: Require security approval for critical-only vulnerabilities/
  description: Require security approval for critical vulnerability found on the main
    branch through container_scanning
  enabled: false
  rules:
  - type: scan_finding
    branches:
    - master
    scanners:
    - container_scanning
    vulnerabilities_allowed: 5
    severity_levels:
    - critical
    vulnerability_states:
    - newly_detected
  actions:
  - type: require_approval
    approvals_required: 1
    user_approvers_ids:
    - 1677023
- name: License Approval Policy
  description: The GitLab legal team requires approval of licenses that have not been
    preapproved for use.
  enabled: true
  rules:
  - type: license_finding
    branches:
    - spooky-stuff
    match_on_inclusion: false
    license_types:
    - 3dfx Glide License
    license_states:
    - newly_detected
  actions:
  - type: require_approval
    approvals_required: 1
    role_approvers:
    - maintainer
    - owner
  approval_settings:
    block_unprotecting_branches: false
    prevent_pushing_and_force_pushing: true
- name: block_protected_branch_modification setting issue
  description: ''
  enabled: false
  rules:
  - type: scan_finding
    scanners: []
    vulnerabilities_allowed: 0
    severity_levels: []
    vulnerability_states: []
    branch_type: protected
  actions:
  - type: require_approval
    approvals_required: 1
    role_approvers:
    - owner
  approval_settings:
    block_protected_branch_modification:
      enabled: true
approval_policy:
- name: Prevent Critical Vulnerabilities
  description: This is to prevent Critical/High Vulnerabilities from getting merged
  enabled: false
  actions:
  - type: require_approval
    approvals_required: 2
    role_approvers:
    - maintainer
    - developer
    - owner
  rules:
  - type: scan_finding
    scanners: []
    vulnerabilities_allowed: 0
    severity_levels:
    - critical
    vulnerability_states: []
    branch_type: protected
  approval_settings:
    block_branch_modification: true
    prevent_pushing_and_force_pushing: false
- name: Licenses - a lot
  description: ''
  enabled: false
  rules:
  - type: license_finding
    match_on_inclusion: false
    license_types:
    - 3dfx Glide License
    - AMD's plpa_map.c License
    - ANTLR Software Rights Notice
    - Abstyles License
    - Academic Free License v1.1
    - Academic Free License v1.2
    - Academic Free License v2.0
    - Academic Free License v2.1
    - Academic Free License v3.0
    - Academy of Motion Picture Arts and Sciences BSD
    - Adobe Glyph List License
    - Adaptive Public License 1.0
    - Adobe Postscript AFM License
    - Adobe Systems Incorporated Source Code License Agreement
    - Affero General Public License v1.0 only
    license_states:
    - newly_detected
    branch_type: protected
  actions:
  - type: require_approval
    approvals_required: 1
    role_approvers:
    - owner
    - maintainer
  approval_settings:
    block_branch_modification: false
    prevent_pushing_and_force_pushing: false
- name: License policy - breaking change
  description: ''
  enabled: false
  rules:
  - type: license_finding
    match_on_inclusion_license: true
    license_types:
    - AMD's plpa_map.c License
    license_states:
    - newly_detected
    branch_type: protected
  approval_settings:
    block_branch_modification: true
    prevent_pushing_and_force_pushing: true
- name: Settings only / No Actions
  description: ''
  enabled: true
  rules:
  - type: license_finding
    branches: []
    match_on_inclusion: true
    license_types:
    - Abstyles License
    license_states:
    - newly_detected
    - detected
  approval_settings:
    block_protected_branch_modification:
      enabled: true
  actions:
  - type: require_approval
    approvals_required: 1
    role_approvers:
    - maintainer
    - developer
    - owner
  1. Navigate to the project => Secure => Policies => Edit policy project => Link current project to itself
  2. View the policies in the list
  3. Verify all the scan result policies and approval policies from the file show up as Merge request approval for Policy type in the list
  4. Click on all the policies
  5. Verify the drawer shows up appropriately
  6. Click on the policy block_protected_branch_modification setting issue and click Edit policy
  7. Verify the user is navigated to the url ending in /-/security/policies/block_protected_branch_modification+setting+issue/edit?type=approval_policy
  8. Verify the yaml shows type: approval_policy
  9. Without changing anything, click Configure with a merge request
  10. Verify in the resulting MR, the policy has no change except that it is moved to the approval_policy section
  11. Navigate to the project => Secure => Policies => New policy => Merge request approval policy
  12. Verify the url ends in /-/security/policies/new?type=approval_policy
  13. Verify the yaml shows type: approval_policy

Related to #457351 (closed)

Edited by Alexander Turinske

Merge request reports

Loading