Load only one scan_finding rule per MR
What does this MR do and why?
Load only one scan_finding rule per scan result policy. This is due to the fact that a single scan result policy can have multiple scan_finding rules but with same approvers and approvals_required.
Related issues: #341962 (closed) and #341961 (closed)
Screenshots or screen recordings
Feature flag off:
Feature flag on:
database migration
$ bundle exec rails db:rollback
== 20211108204736 AddPolicyIdxToApprovalRule: reverting =======================
-- remove_column(:approval_merge_request_rules, :policy_idx, :integer, {:limit=>2})
-> 0.0126s
-- remove_column(:approval_project_rules, :policy_idx, :integer, {:limit=>2})
-> 0.0017s
== 20211108204736 AddPolicyIdxToApprovalRule: reverted (0.0200s) ==============
$ bundle exec rails db:migrate
== 20211108204736 AddPolicyIdxToApprovalRule: migrating =======================
-- add_column(:approval_project_rules, :policy_idx, :integer, {:limit=>2})
-> 0.0047s
-- add_column(:approval_merge_request_rules, :policy_idx, :integer, {:limit=>2})
-> 0.0026s
== 20211108204736 AddPolicyIdxToApprovalRule: migrated (0.0075s) ==============How to set up and validate locally
- Enable the
:scan_result_policyflag - Fetch the branch and run pending migrations
- Follow steps for setting up scan execution policy
- Setup a yaml file the following (making sure the approver (e.g.,
adalberto.dare) exists in your local setup) - note that if your project's main branch is calledmainrather thanmasterthen replace- masterwith- main:
---
scan_execution_policy:
- name: Enforce DAST in every pipeline
description: This policy enforces pipeline configuration to have a job with DAST
scan
enabled: true
rules:
- type: pipeline
branches:
- master
actions:
- scan: dast
site_profile: Scanner Profile A
scanner_profile: Site Profile B
scan_result_policy:
- name: critical vulnerability CS approvals
description: critical severity level only for container scanning
enabled: true
rules:
- type: scan_finding
branches:
- master
scanners:
- container_scanning
vulnerabilities_allowed: 1
severity_levels:
- critical
- type: scan_finding
branches:
- master
scanners:
- dast
vulnerabilities_allowed: 1
severity_levels:
- info
- type: scan_finding
branches:
- master
scanners:
- container_scanning
vulnerabilities_allowed: 10
severity_levels:
- low
actions:
- type: require_approval
approvals_required: 1
approvers:
- adalberto.dare
- name: secondary CS approvals
description: secondary only for container scanning
enabled: true
rules:
- type: scan_finding
branches:
- master
scanners:
- container_scanning
vulnerabilities_allowed: 1
severity_levels:
- critical
- type: scan_finding
branches:
- master
scanners:
- container_scanning
vulnerabilities_allowed: 10
severity_levels:
- medium
actions:
- type: require_approval
approvals_required: 1
approvers:
- adalberto.dare
- Create a new file in the main project(
.gitlab-ci.yaml) with the following:
include:
- template: Security/Container-Scanning.gitlab-ci.yml
variables:
DOCKER_IMAGE: python:3.4-alpine- Create a new MR in the project
- You will see the rules in the MR widget similar to the ones available in the screenshot section.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Luke Duncalfe