Merge branch 'sk/337728-consume-security-policy-factory' into 'master'

Consume security policy yaml in specs from factory

See merge request gitlab-org/gitlab!69109

ee/spec/graphql/mutations/security_policy/commit_scan_execution_policy_spec.rb

@@ -10,22 +10,7 @@ RSpec.describe Mutations::SecurityPolicy::CommitScanExecutionPolicy do
     let_it_be(:policy_management_project) { create(:project, :repository, namespace: user.namespace) }
     let_it_be(:policy_configuration) { create(:security_orchestration_policy_configuration, security_policy_management_project: policy_management_project, project: project) }
     let_it_be(:operation_mode) { Types::MutationOperationModeEnum.enum[:append] }
-    let_it_be(:policy_yaml) do
-      <<-EOS
-        name: Run DAST in every pipeline
-        type: scan_execution_policy
-        description: This policy enforces to run DAST for every pipeline within the project
-        enabled: true
-        rules:
-        - type: pipeline
-          branches:
-          - "production"
-        actions:
-        - scan: dast
-          site_profile: Site Profile
-          scanner_profile: Scanner Profile
-      EOS
-    end
+    let_it_be(:policy_yaml) { build(:scan_execution_policy).merge(type: 'scan_execution_policy').to_yaml }
 
     subject { mutation.resolve(project_path: project.full_path, policy_yaml: policy_yaml, operation_mode: operation_mode) }
 

ee/spec/graphql/resolvers/scan_execution_policy_resolver_spec.rb

@@ -11,17 +11,8 @@ RSpec.describe Resolvers::ScanExecutionPolicyResolver do
   let_it_be(:policy_last_updated_at) { Time.now }
   let_it_be(:user) { policy_management_project.owner }
 
-  let_it_be(:policy) do
-    {
-      name: 'Run DAST in every pipeline',
-      description: 'This policy enforces to run DAST for every pipeline within the project',
-      enabled: true,
-      rules: [{ type: 'pipeline', branches: %w[production] }],
-      actions: [
-        { scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
-      ]
-    }
-  end
+  let(:policy) { build(:scan_execution_policy, name: 'Run DAST in every pipeline') }
+  let(:policy_yaml) { build(:scan_execution_policy_yaml, policies: [policy]) }
 
   let(:repository) { instance_double(Repository, root_ref: 'master') }
 
@@ -33,7 +24,7 @@ RSpec.describe Resolvers::ScanExecutionPolicyResolver do
       commit.committed_date = policy_last_updated_at
       allow(policy_management_project).to receive(:repository).and_return(repository)
       allow(repository).to receive(:last_commit_for_path).and_return(commit)
-      allow(repository).to receive(:blob_data_at).and_return({ scan_execution_policy: [policy] }.to_yaml)
+      allow(repository).to receive(:blob_data_at).and_return(policy_yaml)
     end
 
     context 'when feature is not licensed' do

ee/spec/graphql/types/dast_scanner_profile_type_spec.rb

@@ -73,43 +73,25 @@ RSpec.describe GitlabSchema.types['DastScannerProfile'] do
       let_it_be(:policies_project) { create(:project, :repository) }
       let_it_be(:security_orchestration_policy_configuration) { create(:security_orchestration_policy_configuration, project: project, security_policy_management_project: policies_project) }
 
-      let_it_be(:policy_yml) do
-        <<-EOS
-        scan_execution_policy:
-        - name: Run DAST in every pipeline
-          description: This policy enforces to run DAST for every pipeline within the project
-          enabled: true
-          rules:
-          - type: pipeline
-            branches:
-            - "master"
-          actions:
-          - scan: dast
-            site_profile: Site Profile
-            scanner_profile: #{dast_scanner_profile.name}
-          - scan: dast
-            site_profile: Site Profile 2
-            scanner_profile: Scanner Profile 2
-        - name: Run DAST in every pipeline 2
-          description: This policy enforces to run DAST for every pipeline within the project
-          enabled: true
-          rules:
-          - type: pipeline
-            branches:
-            - "master"
-          actions:
-          - scan: dast
-            site_profile: Site Profile 3
-            scanner_profile: Scanner Profile 3
-          - scan: dast
-            site_profile: Site Profile 4
-            scanner_profile: Scanner Profile 4
-        EOS
+      let(:policy1) do
+        build(:scan_execution_policy, rules: [{ type: 'pipeline', branches: %w[master] }], actions: [
+          { scan: 'dast', site_profile: 'Site Profile', scanner_profile: dast_scanner_profile.name },
+          { scan: 'dast', site_profile: 'Site Profile 2', scanner_profile: 'Scanner Profile 2' }
+        ])
       end
 
+      let(:policy2) do
+        build(:scan_execution_policy, name: 'Run DAST in every pipeline 2', rules: [{ type: 'pipeline', branches: %w[master] }], actions: [
+          { scan: 'dast', site_profile: 'Site Profile 3', scanner_profile: 'Scanner Profile 3' },
+          { scan: 'dast', site_profile: 'Site Profile 4', scanner_profile: 'Scanner Profile 4' }
+        ])
+      end
+
+      let(:policy_yaml) { build(:scan_execution_policy_yaml, policies: [policy1, policy2]) }
+
       before do
         create_list(:dast_scanner_profile, 30, project: project)
-        create_file_in_repo(policies_project, 'master', 'master', Security::OrchestrationPolicyConfiguration::POLICY_PATH, policy_yml)
+        create_file_in_repo(policies_project, 'master', 'master', Security::OrchestrationPolicyConfiguration::POLICY_PATH, policy_yaml)
       end
 
       it 'only calls Gitaly twice when multiple profiles are present', :request_store do

ee/spec/graphql/types/dast_site_profile_type_spec.rb

@@ -138,43 +138,25 @@ RSpec.describe GitlabSchema.types['DastSiteProfile'] do
       let_it_be(:policies_project) { create(:project, :repository) }
       let_it_be(:security_orchestration_policy_configuration) { create(:security_orchestration_policy_configuration, project: project, security_policy_management_project: policies_project) }
 
-      let_it_be(:policy_yml) do
-        <<-EOS
-        scan_execution_policy:
-        - name: Run DAST in every pipeline
-          description: This policy enforces to run DAST for every pipeline within the project
-          enabled: true
-          rules:
-          - type: pipeline
-            branches:
-            - "master"
-          actions:
-          - scan: dast
-            site_profile: Site Profile
-            scanner_profile: Scanner Profile
-          - scan: dast
-            site_profile: Site Profile 2
-            scanner_profile: Scanner Profile 2
-        - name: Run DAST in every pipeline 2
-          description: This policy enforces to run DAST for every pipeline within the project
-          enabled: true
-          rules:
-          - type: pipeline
-            branches:
-            - "master"
-          actions:
-          - scan: dast
-            site_profile: Site Profile 3
-            scanner_profile: Scanner Profile 3
-          - scan: dast
-            site_profile: Site Profile 4
-            scanner_profile: Scanner Profile 4
-        EOS
+      let(:policy1) do
+        build(:scan_execution_policy, rules: [{ type: 'pipeline', branches: %w[master] }], actions: [
+          { scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' },
+          { scan: 'dast', site_profile: 'Site Profile 2', scanner_profile: 'Scanner Profile 2' }
+        ])
       end
 
+      let(:policy2) do
+        build(:scan_execution_policy, name: 'Run DAST in every pipeline 2', rules: [{ type: 'pipeline', branches: %w[master] }], actions: [
+          { scan: 'dast', site_profile: 'Site Profile 3', scanner_profile: 'Scanner Profile 3' },
+          { scan: 'dast', site_profile: 'Site Profile 4', scanner_profile: 'Scanner Profile 4' }
+        ])
+      end
+
+      let(:policy_yaml) { build(:scan_execution_policy_yaml, policies: [policy1, policy2]) }
+
       before do
         create_list(:dast_site_profile, 30, project: project)
-        create_file_in_repo(policies_project, 'master', 'master', Security::OrchestrationPolicyConfiguration::POLICY_PATH, policy_yml)
+        create_file_in_repo(policies_project, 'master', 'master', Security::OrchestrationPolicyConfiguration::POLICY_PATH, policy_yaml)
       end
 
       it 'only calls Gitaly twice when multiple profiles are present', :request_store do

ee/spec/lib/ee/gitlab/ci/config_spec.rb

@@ -45,30 +45,14 @@ RSpec.describe Gitlab::Ci::Config do
 
     let_it_be(:policies_repository) { create(:project, :repository) }
     let_it_be(:security_orchestration_policy_configuration) { create(:security_orchestration_policy_configuration, project: project, security_policy_management_project: policies_repository) }
-
-    let_it_be(:policy_yml) do
-      <<-EOS
-      scan_execution_policy:
-       -  name: Run DAST in every pipeline
-          description: This policy enforces to run DAST for every pipeline within the project
-          enabled: true
-          rules:
-          - type: pipeline
-            branches:
-            - "production"
-          actions:
-          - scan: dast
-            site_profile: Site Profile
-            scanner_profile: Scanner Profile
-      EOS
-    end
+    let_it_be(:policy_yaml) { build(:scan_execution_policy_yaml, policies: [build(:scan_execution_policy)]) }
 
     subject(:config) { described_class.new(ci_yml, source_ref_path: ref, project: project, source: source) }
 
     before do
       allow_next_instance_of(Repository) do |repository|
         # allow(repository).to receive(:ls_files).and_return(['.gitlab/security-policies/enforce-dast.yml'])
-        allow(repository).to receive(:blob_data_at).and_return(policy_yml)
+        allow(repository).to receive(:blob_data_at).and_return(policy_yaml)
       end
     end
 

ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb

@@ -16,28 +16,18 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
 
   let_it_be(:policies_repository) { create(:project, :repository) }
   let_it_be(:security_orchestration_policy_configuration) { create(:security_orchestration_policy_configuration, project: project, security_policy_management_project: policies_repository) }
-
-  let_it_be(:policy_yml) do
-    <<-EOS
-    scan_execution_policy:
-      -  name: Run DAST in every pipeline
-         description: This policy enforces to run DAST for every pipeline within the project
-         enabled: true
-         rules:
-         - type: pipeline
-           branches:
-           - "production"
-         actions:
-         - scan: dast
-           site_profile: Site Profile
-           scanner_profile: Scanner Profile
-         - scan: secret_detection
-    EOS
+  let_it_be(:policy) do
+    build(:scan_execution_policy, actions: [
+    { scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' },
+    { scan: 'secret_detection' }
+  ])
   end
 
+  let_it_be(:policy_yaml) { build(:scan_execution_policy_yaml, policies: [policy]) }
+
   before do
     allow_next_instance_of(Repository) do |repository|
-      allow(repository).to receive(:blob_data_at).and_return(policy_yml)
+      allow(repository).to receive(:blob_data_at).and_return(policy_yaml)
     end
   end
 
@@ -56,20 +46,9 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
   end
 
   shared_examples 'when policy is invalid' do
-    let_it_be(:policy_yml) do
-      <<-EOS
-      scan_execution_policy:
-        -  name: Run DAST in every pipeline
-           description: This policy enforces to run DAST for every pipeline within the project
-           enabled: true
-           rules:
-           - type: pipeline
-             branches: "production"
-           actions:
-           - scan: dast
-             site_profile: Site Profile
-             scanner_profile: Scanner Profile
-      EOS
+    let_it_be(:policy_yaml) do
+      build(:scan_execution_policy_yaml, policies:
+      [build(:scan_execution_policy, rules: [{ type: 'pipeline', branches: 'production' }])])
     end
 
     it 'does not modify the config', :aggregate_failures do

ee/spec/models/security/orchestration_policy_configuration_spec.rb

@@ -11,22 +11,7 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
 
   let(:default_branch) { security_policy_management_project.default_branch }
   let(:repository) { instance_double(Repository, root_ref: 'master') }
-  let(:policy_yaml) do
-    <<-EOS
-        scan_execution_policy:
-        - name: Run DAST in every pipeline
-          description: This policy enforces to run DAST for every pipeline within the project
-          enabled: true
-          rules:
-          - type: pipeline
-            branches:
-            - "production"
-          actions:
-          - scan: dast
-            site_profile: Site Profile
-            scanner_profile: Scanner Profile
-    EOS
-  end
+  let(:policy_yaml) { build(:scan_execution_policy_yaml, policies: [build(:scan_execution_policy, name: 'Run DAST in every pipeline')]) }
 
   before do
     allow(security_policy_management_project).to receive(:repository).and_return(repository)
@@ -153,22 +138,7 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
     end
 
     context 'when policy is present' do
-      let(:policy_yaml) do
-        <<-EOS
-        scan_execution_policy:
-        - name: Run DAST in every pipeline
-          description: This policy enforces to run DAST for every pipeline within the project
-          enabled: true
-          rules:
-          - type: pipeline
-            branches:
-            - "production"
-          actions:
-          - scan: dast
-            site_profile: Site Profile
-            scanner_profile: Scanner Profile
-        EOS
-      end
+      let(:policy_yaml) { build(:scan_execution_policy_yaml, policies: [build(:scan_execution_policy, name: 'Run DAST in every pipeline' )]) }
 
       it 'retrieves policy by type' do
         expect(subject.first[:name]).to eq('Run DAST in every pipeline')
@@ -189,19 +159,8 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
 
     context 'when file is invalid' do
       let(:policy_yaml) do
-        <<-EOS
-        scan_execution_policy:
-        - name: Run DAST in every pipeline
-          description: This policy enforces to run DAST for every pipeline within the project
-          enabled: true
-          rules:
-          - type: pipeline
-            branch: "production"
-          actions:
-          - scan: dast
-            site_profile: Site Profile
-            scanner_profile: Scanner Profile
-        EOS
+        build(:scan_execution_policy_yaml, policies:
+        [build(:scan_execution_policy, rules: [{ type: 'pipeline', branches: 'production' }])])
       end
 
       it { is_expected.to eq(false) }
@@ -213,21 +172,7 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
 
     context 'when policy is passed as argument' do
       let_it_be(:policy_yaml) { nil }
-      let_it_be(:policy) do
-        {
-          scan_execution_policy: [
-            {
-              name: 'Run Scan in every pipeline',
-              description: 'This policy enforces to security scan for every pipeline within the project',
-              enabled: true,
-              rules: [{ type: 'pipeline', branches: %w[production] }],
-              actions: [
-                { scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
-              ]
-            }
-          ]
-        }
-      end
+      let_it_be(:policy) { { scan_execution_policy: [build(:scan_execution_policy)] } }
 
       context 'when scan type is secret_detection' do
         it 'returns false if extra fields are present' do
@@ -248,72 +193,16 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
   end
 
   describe '#active_policies' do
-    let(:enforce_dast_yaml) do
-      <<-EOS
-      scan_execution_policy:
-      - name: Run DAST in every pipeline
-        description: This policy enforces to run DAST for every pipeline within the project
-        enabled: true
-        rules:
-        - type: pipeline
-          branches:
-          - "production"
-        actions:
-        - scan: dast
-          site_profile: Site Profile
-          scanner_profile: Scanner Profile
-      EOS
-    end
-
+    let(:enforce_dast_yaml) { build(:scan_execution_policy_yaml, policies: [build(:scan_execution_policy)]) }
     let(:policy_yaml) { fixture_file('security_orchestration.yml', dir: 'ee') }
 
     let(:expected_active_policies) do
       [
-        {
-          name: 'Run DAST in every pipeline',
-          description: 'This policy enforces to run DAST for every pipeline within the project',
-          enabled: true,
-          rules: [{ type: 'pipeline', branches: %w[production] }],
-          actions: [
-            { scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
-          ]
-        },
-        {
-          name: 'Run DAST in every pipeline_v1',
-          description: 'This policy enforces to run DAST for every pipeline within the project',
-          enabled: true,
-          rules: [{ type: 'pipeline', branches: %w[master] }],
-          actions: [
-            { scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
-          ]
-        },
-        {
-          name: 'Run DAST in every pipeline_v3',
-          description: 'This policy enforces to run DAST for every pipeline within the project',
-          enabled: true,
-          rules: [{ type: 'pipeline', branches: %w[master] }],
-          actions: [
-            { scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
-          ]
-        },
-        {
-          name: 'Run DAST in every pipeline_v4',
-          description: 'This policy enforces to run DAST for every pipeline within the project',
-          enabled: true,
-          rules: [{ type: 'pipeline', branches: %w[master] }],
-          actions: [
-            { scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
-          ]
-        },
-        {
-          name: 'Run DAST in every pipeline_v5',
-          description: 'This policy enforces to run DAST for every pipeline within the project',
-          enabled: true,
-          rules: [{ type: 'pipeline', branches: %w[master] }],
-          actions: [
-            { scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
-          ]
-        }
+        build(:scan_execution_policy, name: 'Run DAST in every pipeline'),
+        build(:scan_execution_policy, name: 'Run DAST in every pipeline_v1', rules: [{ type: 'pipeline', branches: %w[master] }]),
+        build(:scan_execution_policy, name: 'Run DAST in every pipeline_v3', rules: [{ type: 'pipeline', branches: %w[master] }]),
+        build(:scan_execution_policy, name: 'Run DAST in every pipeline_v4', rules: [{ type: 'pipeline', branches: %w[master] }]),
+        build(:scan_execution_policy, name: 'Run DAST in every pipeline_v5', rules: [{ type: 'pipeline', branches: %w[master] }])
       ]
     end
 
@@ -340,49 +229,11 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
   end
 
   describe '#on_demand_scan_actions' do
-    let(:policy_yaml) do
-      <<-EOS
-      scan_execution_policy:
-        - name: Run DAST in every pipeline
-          enabled: true
-          rules:
-          - type: pipeline
-            branches:
-            - "production"
-          actions:
-          - scan: dast
-            site_profile: Site Profile
-            scanner_profile: Scanner Profile
-        - name: Run DAST in every pipeline
-          enabled: true
-          rules:
-          - type: pipeline
-            branches:
-            - "release/*"
-          actions:
-          - scan: dast
-            site_profile: Site Profile 2
-            scanner_profile: Scanner Profile 2
-        - name: Run DAST in every pipeline
-          enabled: true
-          rules:
-          - type: pipeline
-            branches:
-            - "*"
-          actions:
-          - scan: dast
-            site_profile: Site Profile 3
-            scanner_profile: Scanner Profile 3
-        - name: Run SAST in every pipeline
-          enabled: true
-          rules:
-          - type: pipeline
-            branches:
-            - "release/*"
-          actions:
-          - scan: sast
-      EOS
-    end
+    let(:policy1) { build(:scan_execution_policy) }
+    let(:policy2) { build(:scan_execution_policy, rules: [{ type: 'pipeline', branches: ['release/*'] }], actions: [{ scan: 'dast', site_profile: 'Site Profile 2', scanner_profile: 'Scanner Profile 2' }]) }
+    let(:policy3) { build(:scan_execution_policy, rules: [{ type: 'pipeline', branches: ['*'] }], actions: [{ scan: 'dast', site_profile: 'Site Profile 3', scanner_profile: 'Scanner Profile 3' }]) }
+    let(:policy4) { build(:scan_execution_policy, rules: [{ type: 'pipeline', branches: ['release/*'] }], actions: [{ scan: 'sast' }]) }
+    let(:policy_yaml) { build(:scan_execution_policy_yaml, policies: [policy1, policy2, policy3, policy4]) }
 
     let(:expected_actions) do
       [
@@ -411,49 +262,11 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
   end
 
   describe '#pipeline_scan_actions' do
-    let(:policy_yaml) do
-      <<-EOS
-      scan_execution_policy:
-        - name: Run DAST and Secret Detection in every pipeline
-          enabled: true
-          rules:
-          - type: pipeline
-            branches:
-            - "production"
-          actions:
-          - scan: dast
-            site_profile: Site Profile 2
-            scanner_profile: Scanner Profile 2
-          - scan: secret_detection
-        - name: Run DAST in every pipeline
-          enabled: true
-          rules:
-          - type: pipeline
-            branches:
-            - "production"
-          actions:
-          - scan: dast
-            site_profile: Site Profile
-            scanner_profile: Scanner Profile
-        - name: Run Secret Detection for all branches
-          enabled: true
-          rules:
-          - type: pipeline
-            branches:
-            - "*"
-          actions:
-          - scan: secret_detection
-        - name: Scheduled scan
-          enabled: true
-          rules:
-          - type: schedule
-            cadence: '*/15 * * * *'
-            branches:
-            - "*"
-          actions:
-          - scan: secret_detection
-      EOS
-    end
+    let(:policy1) { build(:scan_execution_policy) }
+    let(:policy2) { build(:scan_execution_policy, actions: [{ scan: 'dast', site_profile: 'Site Profile 2', scanner_profile: 'Scanner Profile 2' }, { scan: 'secret_detection' }]) }
+    let(:policy3) { build(:scan_execution_policy, rules: [{ type: 'pipeline', branches: ['*'] }], actions: [{ scan: 'secret_detection' }]) }
+    let(:policy4) { build(:scan_execution_policy, :with_schedule, actions: [{ scan: 'secret_detection' }]) }
+    let(:policy_yaml) { build(:scan_execution_policy_yaml, policies: [policy1, policy2, policy3, policy4]) }
 
     let(:expected_actions) do
       [{ scan: 'secret_detection' }, { scan: 'secret_detection' }]
@@ -470,23 +283,10 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
 
   describe '#active_policy_names_with_dast_site_profile' do
     let(:policy_yaml) do
-      <<-EOS
-      scan_execution_policy:
-      - name: Run DAST in every pipeline
-        description: This policy enforces to run DAST for every pipeline within the project
-        enabled: true
-        rules:
-        - type: pipeline
-          branches:
-          - "production"
-        actions:
-        - scan: dast
-          site_profile: Site Profile
-          scanner_profile: Scanner Profile
-        - scan: dast
-          site_profile: Site Profile
-          scanner_profile: Scanner Profile 2
-      EOS
+      build(:scan_execution_policy_yaml, policies: [build(:scan_execution_policy, name: 'Run DAST in every pipeline', actions: [
+      { scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' },
+      { scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile 2' }
+    ])])
     end
 
     it 'returns list of policy names where site profile is referenced' do
@@ -496,24 +296,10 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
 
   describe '#active_policy_names_with_dast_scanner_profile' do
     let(:enforce_dast_yaml) do
-      <<-EOS
-      scan_execution_policy:
-      - type: scan_execution_policy
-        name: Run DAST in every pipeline
-        description: This policy enforces to run DAST for every pipeline within the project
-        enabled: true
-        rules:
-        - type: pipeline
-          branches:
-          - "production"
-        actions:
-        - scan: dast
-          site_profile: Site Profile
-          scanner_profile: Scanner Profile
-        - scan: dast
-          site_profile: Site Profile 2
-          scanner_profile: Scanner Profile
-      EOS
+      build(:scan_execution_policy_yaml, policies: [build(:scan_execution_policy, name: 'Run DAST in every pipeline', actions: [
+      { scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' },
+      { scan: 'dast', site_profile: 'Site Profile 2', scanner_profile: 'Scanner Profile' }
+    ])])
     end
 
     before do

ee/spec/requests/api/graphql/mutations/security_policy/commit_scan_execution_policy_spec.rb

@@ -7,22 +7,7 @@ RSpec.describe 'Create scan execution policy for a project' do
 
   let_it_be(:current_user) { create(:user) }
   let_it_be(:project) { create(:project, :repository, namespace: current_user.namespace) }
-  let_it_be(:policy_yaml) do
-    <<-EOS
-        name: Run DAST in every pipeline
-        type: scan_execution_policy
-        description: This policy enforces to run DAST for every pipeline within the project
-        enabled: true
-        rules:
-        - type: pipeline
-          branches:
-          - "production"
-        actions:
-        - scan: dast
-          site_profile: Site Profile
-          scanner_profile: Scanner Profile
-    EOS
-  end
+  let_it_be(:policy_yaml) { build(:scan_execution_policy).merge(type: 'scan_execution_policy').to_yaml }
 
   def mutation
     variables = { project_path: project.full_path, policy_yaml: policy_yaml, operation_mode: 'APPEND' }

ee/spec/requests/projects/security/policies_controller_spec.rb

@@ -8,18 +8,7 @@ RSpec.describe Projects::Security::PoliciesController, type: :request do
   let_it_be(:project) { create(:project, :repository, namespace: owner.namespace) }
   let_it_be(:policy_management_project) { create(:project, :repository, namespace: owner.namespace) }
   let_it_be(:policy_configuration) { create(:security_orchestration_policy_configuration, security_policy_management_project: policy_management_project, project: project) }
-  let_it_be(:policy) do
-    {
-      name: 'Run DAST in every pipeline',
-      description: 'This policy enforces to run DAST for every pipeline within the project',
-      enabled: true,
-      rules: [{ type: 'pipeline', branches: %w[production] }],
-      actions: [
-        { scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
-      ]
-    }
-  end
-
+  let_it_be(:policy) { build(:scan_execution_policy) }
   let_it_be(:type) { 'scan_execution_policy' }
   let_it_be(:index) { project_security_policies_url(project) }
   let_it_be(:edit) { edit_project_security_policy_url(project, id: policy[:name], type: type) }