Add secret_detection to security_orchestration_policy JSON schema

This change adds secret_detection to security_orchestration_policy
JSON schema and also discard other fields related to dast.

EE: true
Changelog: added

ee/app/validators/json_schemas/security_orchestration_policy.json

@@ -71,14 +71,14 @@
                       "additionalItems": false,
                       "items": {
                           "required": [
-                              "scan",
-                              "site_profile"
+                              "scan"
                           ],
                           "type": "object",
                           "properties": {
                               "scan": {
                                   "enum": [
-                                      "dast"
+                                      "dast",
+                                      "secret_detection"
                                   ],
                                   "type": "string"
                               },
@@ -92,6 +92,35 @@
                                   ]
                               }
                           },
+                          "allOf": [
+                            {
+                              "if": {
+                                "properties": {
+                                  "scan": {
+                                    "const": "dast"
+                                  }
+                                }
+                              },
+                              "then": {
+                                "required": [
+                                  "site_profile"
+                                ],
+                                "maxProperties": 3
+                              }
+                            },
+                            {
+                              "if": {
+                                "properties": {
+                                  "scan": {
+                                    "const": "secret_detection"
+                                  }
+                                }
+                              },
+                              "then": {
+                                "maxProperties": 1
+                              }
+                            }
+                          ],
                           "additionalProperties": false
                       }
                   }

ee/spec/models/security/orchestration_policy_configuration_spec.rb

@@ -191,6 +191,41 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
 
       it { is_expected.to eq(true) }
     end
+
+    context 'when policy is passed as argument' do
+      let_it_be(:policy_yaml) { nil }
+      let_it_be(:policy) do
+        {
+          scan_execution_policy: [
+            {
+              name: 'Run Scan in every pipeline',
+              description: 'This policy enforces to security scan for every pipeline within the project',
+              enabled: true,
+              rules: [{ type: 'pipeline', branches: %w[production] }],
+              actions: [
+                { scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
+              ]
+            }
+          ]
+        }
+      end
+
+      context 'when scan type is secret_detection' do
+        it 'returns false if extra fields are present' do
+          invalid_policy = policy.deep_dup
+          invalid_policy[:scan_execution_policy][0][:actions][0][:scan] = 'secret_detection'
+
+          expect(security_orchestration_policy_configuration.policy_configuration_valid?(invalid_policy)).to be_falsey
+        end
+
+        it 'returns true if extra fields are not present' do
+          valid_policy = policy.deep_dup
+          valid_policy[:scan_execution_policy][0][:actions][0] = { scan: 'secret_detection' }
+
+          expect(security_orchestration_policy_configuration.policy_configuration_valid?(valid_policy)).to be_truthy
+        end
+      end
+    end
   end
 
   describe '#active_policies' do