Enhance policy validation to consider scan result
What does this MR do and why?
Enhance policy validation to consider scan result policy as its rule can have no branches. It also clears up a misunderstanding in a comment.
Related issue: #352307 (closed)
How to set up and validate locally
- Enable
scan_result_policy
feature flag - Create a security project as described in the docs
- Create a new scan result policy with the project owner
- Run the following mutation with parameters similar to:
mutation updatePolicy($projectPath: ID!, $mode: MutationOperationMode = APPEND, $name: String, $policyYaml: String!) {
scanExecutionPolicyCommit(
input: {name: $name, projectPath: $projectPath, operationMode: $mode, policyYaml: $policyYaml}
) {
branch
errors
__typename
}
}
Query Variables
{
"mode": "REPLACE",
"name": "secondary CS approvals",
"projectPath": "test-group1/part-of-the-test-group",
"policyYaml": "type: scan_result_policy\nname: secondary CS approvals\ndescription: secondary only for container scanning\nenabled: true\nrules:\n - type: scan_finding\n branches: []\n scanners:\n - container_scanning\n vulnerabilities_allowed: 1\n severity_levels:\n - critical\n vulnerability_states:\n - newly_detected\nactions:\n - type: require_approval\n approvals_required: 1\n user_approvers_ids:\n - 11\n"
}
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Zamir Martins