Add GraphQL fragment and queries for project security exclusions
What does this MR do and why?
This merge request adds more GraphQL resources for the project security exclusions.
- Fragment:
ProjectSecurityExclusionFragment
- Queries:
ProjectSecurityExclusions
ProjectSecurityExclusion
And updates the finder and resolver to properly handle the query when a single security exclusion is retrieved.
Resolves #479305 (closed) partially.
Note: The target branch is ahmed.hemdan-allowlist-for-secret-push-protection-9e046465
because this merge request was built using stacked diffs, so it merges back onto the previous merge request. I'm also happy to wait until the earlier MRs (1, 2) have been approved and merged before proceeding with this one.
MR acceptance checklist
I have evaluated this MR against the MR acceptance checklist.
How to set up and validate locally
- To test the queries work as expected, select a project that exist already in your GDK or create a new one.
- Find the project id for the project you have chosen or just created.
- Start the Rails console:
bin/rails console
to create a few project security exclusions records. - Run the following to create those records:
project = Project.find(PROJECT_ID_GOES_HERE)
project.security_exclusions.create(scanner: :secret_push_protection, type: :path, value: 'spec/models/project_spec.rb')
project.security_exclusions.create(scanner: :secret_push_protection, type: :regex_pattern, value: 'SK[0-9a-fA-F]{32}', active: false)
project.security_exclusions.create(scanner: :secret_push_protection, type: :rule, value: 'gitlab_personal_access_token')
project.security_exclusions.create(scanner: :secret_push_protection, type: :raw_value, value: 'glpat-12345678901234567890', active: false) # dummy value used for testing
- Navigate to the interactive GraphQL explorer on your GDK.
- Run the following query, with and without filters like
type: RAW_VALUE
,scanner: SECRET_PUSH_PROTECTION
, oractive: true
:
query ProjectSecurityExclusions($fullPath: ID!) {
project(fullPath: $fullPath) {
id
securityExclusions(type: RAW_VALUE) {
nodes {
id
scanner
type
active
description
value
}
}
}
}
- Make sure to define the project's full path as a variable
$fullPath
using the interface:
{
"fullPath": "PROJECT_FULL_PATH_GOES_HERE"
}
- Repeat for a specific exclusion using the other query:
query ProjectSecurityExclusion
, and verify this works as expected.
Query Plans
Please note that the table was only created a few days ago, so it has no records in the database at this point, but I have included the query plans below.
With id
filter specified
SELECT
"project_security_exclusions".*
FROM
"project_security_exclusions"
WHERE
"project_security_exclusions"."project_id" = 278964
AND
"project_security_exclusions"."id" = 1;
Query Plan: https://console.postgres.ai/gitlab/gitlab-production-main/sessions/31400/commands/97555.