Update scan policies documentation with new format

67df7406 · Alan (Maciej) Paruszewski · Russell Dickenson · 43c8d4d3 · 67df7406
Commit 67df7406 authored Apr 12, 2021 by Alan (Maciej) Paruszewski Committed by Russell Dickenson Apr 12, 2021
Show whitespace changes
Inline Side-by-side

Showing with 60 additions and 28 deletions

doc/user/application_security/policies/index.md doc/user/application_security/policies/index.md +60 -28

No files found.
--- a/doc/user/application_security/policies/index.md
+++ b/doc/user/application_security/policies/index.md
@@ -55,29 +55,46 @@ Feature.disable(:security_orchestration_policies_configuration, Project.find(<pr
 ## Security Policies project
-The Security Policies feature is a repository to store policies. All security policies are stored in
+The Security Policies feature is a repository to store policies. All security policies are stored as
-the `.gitlab/security-policies` directory as a YAML file with this format:
+the `.gitlab/security-policies/policy.yml` YAML file with this format:
 ```yaml
 ---
-type: scan_execution_policy
+scan_execution_policy:
-name: Enforce DAST in every pipeline
+- name: Enforce DAST in every pipeline
-description: This policy enforces pipeline configuration to have a job with DAST scan
+  description: This policy enforces pipeline configuration to have a job with DAST scan
-enabled: true
+  enabled: true
-rules:
+  rules:
- type: pipeline
+  - type: pipeline
    branch: master
-actions:
+  actions:
- scan: dast
+  - scan: dast
    scanner_profile: Scanner Profile A
    site_profile: Site Profile B
+- name: Enforce DAST in every pipeline in main branch
+  description: This policy enforces pipeline configuration to have a job with DAST scan for main branch
+  enabled: true
+  rules:
+  - type: pipeline
+    branch: main
+  actions:
+  - scan: dast
+    scanner_profile: Scanner Profile C
+    site_profile: Site Profile D
 ```
+### Scan Execution Policies Schema
+The YAML file with Scan Execution Policies consists of an array of objects matching Scan Execution Policy Schema nested under the `scan_execution_policy` key. You can configure a maximum of 5 policies under the `scan_execution_policy` key.
+| Field | Type | Possible values | Description |
+|-------|------|-----------------|-------------|
+| `scan_execution_policy` | `array` of Scan Execution Policy |  | List of scan execution policies (maximum 5) |
 ### Scan Execution Policy Schema
 | Field | Type | Possible values | Description |
 |-------|------|-----------------|-------------|
-| `type` | `string` | `scan_execution_policy` | The policy's type. |
 | `name` | `string` |  | Name of the policy. |
 | `description` (optional) | `string` |  | Description of the policy. |
 | `enabled` | `boolean` | `true`, `false` | Flag to enable (`true`) or disable (`false`) the policy. |
@@ -107,7 +124,7 @@ rule in the defined policy are met.
 Note the following:
 - You must create the [site profile](../dast/index.md#site-profile) and [scanner profile](../dast/index.md#scanner-profile)
-  with selected names for the project that is assigned to the selected Security Policy Project.
+  with selected names for each project that is assigned to the selected Security Policy Project.
  Otherwise, the policy is not applied and a job with an error message is created instead.
 - Once you associate the site profile and scanner profile by name in the policy, it is not possible
  to modify or delete them. If you want to modify them, you must first disable the policy by setting
@@ -117,22 +134,37 @@ Here's an example:
 ```yaml
 ---
-type: scan_execution_policy
+scan_execution_policy:
-name: Enforce DAST in every pipeline
+- name: Enforce DAST in every release pipeline
-description: This policy enforces pipeline configuration to have a job with DAST scan
+  description: This policy enforces pipeline configuration to have a job with DAST scan for release branches
-enabled: true
+  enabled: true
-rules:
+  rules:
- type: pipeline
+  - type: pipeline
    branch: release/*
-actions:
+  actions:
- scan: dast
+  - scan: dast
    scanner_profile: Scanner Profile A
    site_profile: Site Profile B
+- name: Enforce DAST in every pipeline in main branch
+  description: This policy enforces pipeline configuration to have a job with DAST scan for main branch
+  enabled: true
+  rules:
+  - type: pipeline
+    branch: main
+  actions:
+  - scan: dast
+    scanner_profile: Scanner Profile C
+    site_profile: Site Profile D
 ```
 In this example, the DAST scan runs with the scanner profile `Scanner Profile A` and the site
-profile `Site Profile B`. The scan runs for every pipeline executed on branches that match the
+profile `Site Profile B` for every pipeline executed on branches that match the
-`release/*` wildcard (for example, branch name `release/v1.2.1`).
+`release/*` wildcard (for example, branch name `release/v1.2.1`); and the DAST scan runs with
+the scanner profile `Scanner Profile C` and the site profile `Site Profile D` for every pipeline executed on `main` branch.
+NOTE:
+All scanner and site profiles must be configured and created for each project that is assigned to the selected Security Policy Project.
+If they are not created, the job will fail with the error message.
 ## Security Policy project selection