Skip to content

Add GraphQL fragment and queries for project security exclusions

Ahmed Hemdan requested to merge ahmed.hemdan-allowlist-for-secret-push-protection-a8a418cd into master

What does this MR do and why?

This merge request adds more GraphQL resources for the project security exclusions.

  • Fragment:
    • ProjectSecurityExclusionFragment
  • Queries:
    • ProjectSecurityExclusions
    • ProjectSecurityExclusion

And updates the finder and resolver to properly handle the query when a single security exclusion is retrieved.

Resolves #479305 (closed) partially.

Note: The target branch is ahmed.hemdan-allowlist-for-secret-push-protection-9e046465 because this merge request was built using stacked diffs, so it merges back onto the previous merge request. I'm also happy to wait until the earlier MRs (1, 2) have been approved and merged before proceeding with this one.

MR acceptance checklist

I have evaluated this MR against the MR acceptance checklist.

How to set up and validate locally

  • To test the queries work as expected, select a project that exist already in your GDK or create a new one.
  • Find the project id for the project you have chosen or just created.
  • Start the Rails console: bin/rails console to create a few project security exclusions records.
  • Run the following to create those records:
project = Project.find(PROJECT_ID_GOES_HERE)

project.security_exclusions.create(scanner: :secret_push_protection, type: :path, value: 'spec/models/project_spec.rb')
project.security_exclusions.create(scanner: :secret_push_protection, type: :regex_pattern, value: 'SK[0-9a-fA-F]{32}', active: false)
project.security_exclusions.create(scanner: :secret_push_protection, type: :rule, value: 'gitlab_personal_access_token')
project.security_exclusions.create(scanner: :secret_push_protection, type: :raw_value, value: 'glpat-12345678901234567890', active: false) # dummy value used for testing
  • Navigate to the interactive GraphQL explorer on your GDK.
  • Run the following query, with and without filters like type: RAW_VALUE, scanner: SECRET_PUSH_PROTECTION, or active: true:
query ProjectSecurityExclusions($fullPath: ID!) {
  project(fullPath: $fullPath) {
    id
    securityExclusions(type: RAW_VALUE) {
      nodes {
        id
        scanner
        type
        active
        description
        value
      }
    }
  }
}
  • Make sure to define the project's full path as a variable $fullPath using the interface:
{
  "fullPath": "PROJECT_FULL_PATH_GOES_HERE"
}
  • Repeat for a specific exclusion using the other query: query ProjectSecurityExclusion, and verify this works as expected.

Query Plans

Please note that the table was only created a few days ago, so it has no records in the database at this point, but I have included the query plans below.

With id filter specified

SELECT
    "project_security_exclusions".*
FROM
    "project_security_exclusions"
WHERE
    "project_security_exclusions"."project_id" = 278964
AND
    "project_security_exclusions"."id" = 1;

Query Plan: https://console.postgres.ai/gitlab/gitlab-production-main/sessions/31400/commands/97555.

Edited by Ahmed Hemdan

Merge request reports