Commit a08527c5 authored by Sashi's avatar Sashi Committed by Matthias Käppler

Add secret_detection to security_orchestration_policy JSON schema

This change adds secret_detection to security_orchestration_policy
JSON schema and also discard other fields related to dast.

EE: true
Changelog: added
parent af4c94c7
...@@ -71,14 +71,14 @@ ...@@ -71,14 +71,14 @@
"additionalItems": false, "additionalItems": false,
"items": { "items": {
"required": [ "required": [
"scan", "scan"
"site_profile"
], ],
"type": "object", "type": "object",
"properties": { "properties": {
"scan": { "scan": {
"enum": [ "enum": [
"dast" "dast",
"secret_detection"
], ],
"type": "string" "type": "string"
}, },
...@@ -92,6 +92,35 @@ ...@@ -92,6 +92,35 @@
] ]
} }
}, },
"allOf": [
{
"if": {
"properties": {
"scan": {
"const": "dast"
}
}
},
"then": {
"required": [
"site_profile"
],
"maxProperties": 3
}
},
{
"if": {
"properties": {
"scan": {
"const": "secret_detection"
}
}
},
"then": {
"maxProperties": 1
}
}
],
"additionalProperties": false "additionalProperties": false
} }
} }
......
...@@ -191,6 +191,41 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do ...@@ -191,6 +191,41 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
it { is_expected.to eq(true) } it { is_expected.to eq(true) }
end end
context 'when policy is passed as argument' do
let_it_be(:policy_yaml) { nil }
let_it_be(:policy) do
{
scan_execution_policy: [
{
name: 'Run Scan in every pipeline',
description: 'This policy enforces to security scan for every pipeline within the project',
enabled: true,
rules: [{ type: 'pipeline', branches: %w[production] }],
actions: [
{ scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
]
}
]
}
end
context 'when scan type is secret_detection' do
it 'returns false if extra fields are present' do
invalid_policy = policy.deep_dup
invalid_policy[:scan_execution_policy][0][:actions][0][:scan] = 'secret_detection'
expect(security_orchestration_policy_configuration.policy_configuration_valid?(invalid_policy)).to be_falsey
end
it 'returns true if extra fields are not present' do
valid_policy = policy.deep_dup
valid_policy[:scan_execution_policy][0][:actions][0] = { scan: 'secret_detection' }
expect(security_orchestration_policy_configuration.policy_configuration_valid?(valid_policy)).to be_truthy
end
end
end
end end
describe '#active_policies' do describe '#active_policies' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment