Merge branch '299215-update-documentation' into 'master'

Update scan policies documentation with new format See merge request gitlab-org/gitlab!58992

Merge branch '299215-update-documentation' into 'master'
Update scan policies documentation with new format See merge request gitlab-org/gitlab!58992
ec1501b4 · Russell Dickenson · 4343134d · 67df7406 · ec1501b4
Commit ec1501b4 authored Apr 12, 2021 by Russell Dickenson
Hide whitespace changes
Inline Side-by-side

Showing with 60 additions and 28 deletions

doc/user/application_security/policies/index.md doc/user/application_security/policies/index.md +60 -28

No files found.
--- a/doc/user/application_security/policies/index.md
+++ b/doc/user/application_security/policies/index.md
@@ -55,29 +55,46 @@ Feature.disable(:security_orchestration_policies_configuration, Project.find(<pr

 ## Security Policies project

-The Security Policies feature is a repository to store policies. All security policies are stored in
-the `.gitlab/security-policies` directory as a YAML file with this format:
+The Security Policies feature is a repository to store policies. All security policies are stored as
+the `.gitlab/security-policies/policy.yml` YAML file with this format:

 ```yaml
 ---
-type: scan_execution_policy
-name: Enforce DAST in every pipeline
-description: This policy enforces pipeline configuration to have a job with DAST scan
-enabled: true
-rules:
- type: pipeline
-  branch: master
-actions:
- scan: dast
-  scanner_profile: Scanner Profile A
-  site_profile: Site Profile B
+scan_execution_policy:
+- name: Enforce DAST in every pipeline
+  description: This policy enforces pipeline configuration to have a job with DAST scan
+  enabled: true
+  rules:
+  - type: pipeline
+    branch: master
+  actions:
+  - scan: dast
+    scanner_profile: Scanner Profile A
+    site_profile: Site Profile B
+- name: Enforce DAST in every pipeline in main branch
+  description: This policy enforces pipeline configuration to have a job with DAST scan for main branch
+  enabled: true
+  rules:
+  - type: pipeline
+    branch: main
+  actions:
+  - scan: dast
+    scanner_profile: Scanner Profile C
+    site_profile: Site Profile D
 ```

+### Scan Execution Policies Schema
+
+The YAML file with Scan Execution Policies consists of an array of objects matching Scan Execution Policy Schema nested under the `scan_execution_policy` key. You can configure a maximum of 5 policies under the `scan_execution_policy` key.
+
+| Field | Type | Possible values | Description |
+|-------|------|-----------------|-------------|
+| `scan_execution_policy` | `array` of Scan Execution Policy |  | List of scan execution policies (maximum 5) |
+
 ### Scan Execution Policy Schema

 | Field | Type | Possible values | Description |
 |-------|------|-----------------|-------------|
-| `type` | `string` | `scan_execution_policy` | The policy's type. |
 | `name` | `string` |  | Name of the policy. |
 | `description` (optional) | `string` |  | Description of the policy. |
 | `enabled` | `boolean` | `true`, `false` | Flag to enable (`true`) or disable (`false`) the policy. |
@@ -107,7 +124,7 @@ rule in the defined policy are met.
 Note the following:

 - You must create the [site profile](../dast/index.md#site-profile) and [scanner profile](../dast/index.md#scanner-profile)
-  with selected names for the project that is assigned to the selected Security Policy Project.
+  with selected names for each project that is assigned to the selected Security Policy Project.
  Otherwise, the policy is not applied and a job with an error message is created instead.
 - Once you associate the site profile and scanner profile by name in the policy, it is not possible
  to modify or delete them. If you want to modify them, you must first disable the policy by setting
@@ -117,22 +134,37 @@ Here's an example:

 ```yaml
 ---
-type: scan_execution_policy
-name: Enforce DAST in every pipeline
-description: This policy enforces pipeline configuration to have a job with DAST scan
-enabled: true
-rules:
- type: pipeline
-  branch: release/*
-actions:
- scan: dast
-  scanner_profile: Scanner Profile A
-  site_profile: Site Profile B
+scan_execution_policy:
+- name: Enforce DAST in every release pipeline
+  description: This policy enforces pipeline configuration to have a job with DAST scan for release branches
+  enabled: true
+  rules:
+  - type: pipeline
+    branch: release/*
+  actions:
+  - scan: dast
+    scanner_profile: Scanner Profile A
+    site_profile: Site Profile B
+- name: Enforce DAST in every pipeline in main branch
+  description: This policy enforces pipeline configuration to have a job with DAST scan for main branch
+  enabled: true
+  rules:
+  - type: pipeline
+    branch: main
+  actions:
+  - scan: dast
+    scanner_profile: Scanner Profile C
+    site_profile: Site Profile D
 ```

 In this example, the DAST scan runs with the scanner profile `Scanner Profile A` and the site
-profile `Site Profile B`. The scan runs for every pipeline executed on branches that match the
-`release/*` wildcard (for example, branch name `release/v1.2.1`).
+profile `Site Profile B` for every pipeline executed on branches that match the
+`release/*` wildcard (for example, branch name `release/v1.2.1`); and the DAST scan runs with
+the scanner profile `Scanner Profile C` and the site profile `Site Profile D` for every pipeline executed on `main` branch.
+
+NOTE:
+All scanner and site profiles must be configured and created for each project that is assigned to the selected Security Policy Project.
+If they are not created, the job will fail with the error message.

 ## Security Policy project selection