Skip to content

Enhance policy validation to consider scan result

What does this MR do and why?

Enhance policy validation to consider scan result policy as its rule can have no branches. It also clears up a misunderstanding in a comment.

Related issue: #352307 (closed)

How to set up and validate locally

  1. Enable scan_result_policy feature flag
  2. Create a security project as described in the docs
  3. Create a new scan result policy with the project owner
  4. Run the following mutation with parameters similar to:
mutation updatePolicy($projectPath: ID!, $mode: MutationOperationMode = APPEND, $name: String, $policyYaml: String!) {
  scanExecutionPolicyCommit(
    input: {name: $name, projectPath: $projectPath, operationMode: $mode, policyYaml: $policyYaml}
  ) {
    branch
    errors
    __typename
  }
}
Query Variables
{
    "mode": "REPLACE",
    "name": "secondary CS approvals",
    "projectPath": "test-group1/part-of-the-test-group",
    "policyYaml": "type: scan_result_policy\nname: secondary CS approvals\ndescription: secondary only for container scanning\nenabled: true\nrules:\n  - type: scan_finding\n    branches: []\n    scanners:\n      - container_scanning\n    vulnerabilities_allowed: 1\n    severity_levels:\n      - critical\n    vulnerability_states:\n      - newly_detected\nactions:\n  - type: require_approval\n    approvals_required: 1\n    user_approvers_ids:\n      - 11\n"
}

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Zamir Martins

Merge request reports

Loading