Add customized README file when creating new Security Policy Project

Changelog: changed
EE: true

app/services/projects/create_service.rb

@@ -12,6 +12,7 @@ module Projects
       @import_data = @params.delete(:import_data)
       @relations_block = @params.delete(:relations_block)
       @default_branch = @params.delete(:default_branch)
+      @readme_template = @params.delete(:readme_template)
 
       build_topics
     end
@@ -149,12 +150,16 @@ module Projects
         branch_name: @default_branch.presence || @project.default_branch_or_main,
         commit_message: 'Initial commit',
         file_path: 'README.md',
-        file_content: experiment(:new_project_readme_content, namespace: @project.namespace).run_with(@project)
+        file_content: readme_content
       }
 
       Files::CreateService.new(@project, current_user, commit_attrs).execute
     end
 
+    def readme_content
+      @readme_template.presence || experiment(:new_project_readme_content, namespace: @project.namespace).run_with(@project)
+    end
+
     def skip_wiki?
       !@project.feature_available?(:wiki, current_user) || @skip_wiki
     end

ee/app/services/security/security_orchestration_policies/project_create_service.rb

@@ -4,6 +4,7 @@ module Security
   module SecurityOrchestrationPolicies
     class ProjectCreateService < ::BaseProjectService
       ACCESS_LEVELS_TO_ADD = [Gitlab::Access::MAINTAINER, Gitlab::Access::DEVELOPER].freeze
+      README_TEMPLATE_PATH = Rails.root.join('ee', 'app', 'views', 'projects', 'security', 'policies', 'readme.md.tt')
 
       def execute
         return error('Security Policy project already exists.') if project.security_orchestration_policy_configuration.present?
@@ -41,10 +42,15 @@ module Security
           requirements_enabled: false,
           builds_enabled: false,
           wiki_enabled: false,
-          snippets_enabled: false
+          snippets_enabled: false,
+          readme_template: readme_template
         }
       end
 
+      def readme_template
+        ERB.new(File.read(README_TEMPLATE_PATH), trim_mode: '<>').result(binding)
+      end
+
       attr_reader :project
     end
   end

ee/app/views/projects/security/policies/readme.md.tt

+# Security Policy Project for <%= @project.name %>
+
+This project is automatically generated to manage security policies for the project.
+
+The Security Policies Project is a repository used to store policies. All security policies are stored as a YAML file named `.gitlab/security-policies/policy.yml`, with this format:
+
+```yaml
+---
+scan_execution_policy:
+- name: Enforce DAST in every pipeline
+  description: This policy enforces pipeline configuration to have a job with DAST scan
+  enabled: true
+  rules:
+  - type: pipeline
+    branches:
+    - master
+  actions:
+  - scan: dast
+    scanner_profile: Scanner Profile A
+    site_profile: Site Profile B
+- name: Enforce DAST in every pipeline in the main branch
+  description: This policy enforces pipeline configuration to have a job with DAST scan for the main branch
+  enabled: true
+  rules:
+  - type: pipeline
+    branches:
+    - main
+  actions:
+  - scan: dast
+    scanner_profile: Scanner Profile C
+    site_profile: Site Profile D
+```
+
+You can read more about the format and policies schema in the [documentation](https://docs.gitlab.com/ee/user/application_security/policies/#scan-execution-policies-schema).
+
+## Default branch protection settings
+
+This project is preconfigured with the default branch set as a protected branch, and only [project](<%= @project.web_url %>)
+maintainers/owners have permission to merge into that branch. This overrides any default branch protection both at the
+[group level](https://docs.gitlab.com/ee/user/group/index.html#change-the-default-branch-protection-of-a-group) and at the
+[instance level](https://docs.gitlab.com/ee/user/admin_area/settings/visibility_and_access_controls.html#default-branch-protection).

ee/spec/services/security/security_orchestration_policies/project_create_service_spec.rb

@@ -18,7 +18,7 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ProjectCreateService do
         project.add_developer(developer)
       end
 
-      it 'creates policy project with maintainers and developers from target project as developers' do
+      it 'creates policy project with maintainers and developers from target project as developers', :aggregate_failures do
         response = service.execute
 
         policy_project = response[:policy_project]
@@ -26,6 +26,8 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ProjectCreateService do
         expect(policy_project.namespace).to eq(project.namespace)
         expect(policy_project.team.developers).to contain_exactly(maintainer, developer)
         expect(policy_project.container_registry_access_level).to eq(ProjectFeature::DISABLED)
+        expect(policy_project.repository.readme.data).to include('# Security Policy Project for')
+        expect(policy_project.repository.readme.data).to include('## Default branch protection settings')
       end
     end
 

spec/services/projects/create_service_spec.rb

@@ -601,6 +601,18 @@ RSpec.describe Projects::CreateService, '#execute' do
           MARKDOWN
         end
       end
+
+      context 'and readme_template is specified' do
+        before do
+          opts[:readme_template] = "# GitLab\nThis is customized template."
+        end
+
+        it_behaves_like 'creates README.md'
+
+        it 'creates README.md with specified template' do
+          expect(project.repository.readme.data).to include('This is customized template.')
+        end
+      end
     end
   end