Add documentation for security policies with schedule rule

cdce4baf · Alan (Maciej) Paruszewski · Nick Gaskill · a74f1635 · cdce4baf
Commit cdce4baf authored May 10, 2021 by Alan (Maciej) Paruszewski Committed by Nick Gaskill May 10, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 8 deletions

doc/user/application_security/policies/index.md doc/user/application_security/policies/index.md +18 -8

No files found.
--- a/doc/user/application_security/policies/index.md
+++ b/doc/user/application_security/policies/index.md
@@ -112,6 +112,16 @@ This rule enforces the defined actions whenever the pipeline runs for a selected
 | `type` | `string` | `pipeline` | The rule's type. |
 | `branches` | `array` of `string` | `*` or the branch's name | The branch the given policy applies to (supports wildcard). |
+### `schedule` rule type
+This rule enforces the defined actions and schedules a scan on the provided date/time.
+| Field      | Type | Possible values | Description |
+|------------|------|-----------------|-------------|
+| `type`     | `string` | `schedule` | The rule's type. |
+| `branches` | `array` of `string` | `*` or the branch's name | The branch the given policy applies to (supports wildcard). |
+| `cadence`  | `string` | CRON expression (for example, `0 0 * * *`) | A whitespace-separated string containing five fields that represents the scheduled time. |
 ### `scan` action type
 This action executes the selected `scan` with additional parameters when conditions for at least one
@@ -131,6 +141,9 @@ Note the following:
 - Once you associate the site profile and scanner profile by name in the policy, it is not possible
  to modify or delete them. If you want to modify them, you must first disable the policy by setting
  the `active` flag to `false`.
+- When configuring policies with a scheduled DAST scan, the author of the commit in the security
+  policy project's repository must have access to the scanner and site profiles. Otherwise, the scan
+  is not scheduled successfully.
 Here's an example:
@@ -148,13 +161,14 @@ scan_execution_policy:
  - scan: dast
    scanner_profile: Scanner Profile A
    site_profile: Site Profile B
- name: Enforce DAST in every pipeline in main branch
+- name: Enforce DAST scan every 10 minutes
-  description: This policy enforces pipeline configuration to have a job with DAST scan for main branch
+  description: This policy enforces a DAST scan to run every 10 minutes
  enabled: true
  rules:
-  - type: pipeline
+  - type: schedule
    branches:
    - main
+    cadence: */10 * * * *
  actions:
  - scan: dast
    scanner_profile: Scanner Profile C
@@ -164,11 +178,7 @@ scan_execution_policy:
 In this example, the DAST scan runs with the scanner profile `Scanner Profile A` and the site
 profile `Site Profile B` for every pipeline executed on branches that match the
 `release/*` wildcard (for example, branch name `release/v1.2.1`); and the DAST scan runs with
-the scanner profile `Scanner Profile C` and the site profile `Site Profile D` for every pipeline executed on `main` branch.
+the scanner profile `Scanner Profile C` and the site profile `Site Profile D` every 10 minutes.
-NOTE:
-All scanner and site profiles must be configured and created for each project that is assigned to the selected Security Policy Project.
-If they are not created, the job will fail with the error message.
 ## Security Policy project selection