Commit b7e3049d authored by Can Eldem's avatar Can Eldem Committed by Markus Koller

Limit security policy to a file

Allow only 5 policy to be enabled
parent 2516aeb2
......@@ -6,7 +6,8 @@ module Security
self.table_name = 'security_orchestration_policy_configurations'
POLICIES_BASE_PATH = '.gitlab/security-policies/'
POLICY_PATH = '.gitlab/security-policies/policy.yml'
POLICY_LIMIT = 5
ON_DEMAND_SCANS = %w[dast].freeze
......@@ -23,12 +24,7 @@ module Security
def active_policies
return [] unless enabled?
security_policy_management_project
.repository
.ls_files(security_policy_management_project.default_branch_or_master)
.grep(/\A#{Regexp.escape(POLICIES_BASE_PATH)}.+\.(yml|yaml)\z/)
.map { |path| policy_at(path) }
.select { |config| config[:enabled] }
scan_execution_policy_at(POLICY_PATH).select { |config| config[:enabled] }.first(POLICY_LIMIT)
end
def on_demand_scan_actions(branch)
......@@ -48,6 +44,14 @@ module Security
private
def policy_repo
security_policy_management_project.repository
end
def default_branch_or_master
security_policy_management_project.default_branch_or_master
end
def active_policy_names_with_dast_profiles
strong_memoize(:active_policy_names_with_dast_profiles) do
profiles = { site_profiles: Hash.new { Set.new }, scanner_profiles: Hash.new { Set.new } }
......@@ -65,11 +69,9 @@ module Security
end
end
def policy_at(path)
security_policy_management_project
.repository
.blob_data_at(security_policy_management_project.default_branch_or_master, path)
.then { |config| Gitlab::Config::Loader::Yaml.new(config).load! }
def scan_execution_policy_at(path)
policy_repo.blob_data_at(default_branch_or_master, path)
.then { |config| Gitlab::Config::Loader::Yaml.new(config).load!.fetch(:scan_execution_policy, []) }
end
def applicable_for_branch?(policy, ref)
......
scan_execution_policy:
- name: Run DAST in every pipeline
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "production"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
- name: Run DAST in every pipeline_v1
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "master"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
- name: Disabled policy
description: This policy is disabled
enabled: false
rules: []
actions: []
- name: Disabled policy_v2
description: This policy is disabled v2
enabled: false
rules: []
actions: []
- name: Run DAST in every pipeline_v3
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "master"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
- name: Run DAST in every pipeline_v4
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "master"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
- name: Run DAST in every pipeline_v5
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "master"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
- name: Run DAST in every pipeline_v6
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "master"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
\ No newline at end of file
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment