Thanks for updating the MR @arfedoro!
LGTM!
Hi @alipniagov, could you please do the backend maintainer review?
Removes the security_policies_split_view feature flag from backend code and deletes the flag definition file, completing the feature flag cleanup.
After this MR, the split view (advanced editor toggle) is always available — gated only by the user preference (policy_advanced_editor). No feature flag check is needed.
Related to #593378
Note: This MR should be merged after !227098 (frontend cleanup).
| File | Change |
|---|---|
groups/security/policies_controller.rb |
Removed push_frontend_feature_flag(:security_policies_split_view, group)
|
projects/security/policies_controller.rb |
Removed push_frontend_feature_flag(:security_policies_split_view, project.group)
|
security_orchestration_helper.rb |
Removed Feature.enabled? check from policy_editor_enabled?
|
security_policies_split_view.yml |
Deleted |
stub_feature_flags(security_policies_split_view: ...) from helper spec and all 5 feature specssecurity_policies_split_view in the codebaseThanks for working on this cleanup @arfedoro!
LGTM! I just left a minor suggestion about removing a method parameter.
It seems that we also need a test review.
Hi @mvaishnao, could you please do the test review?
I believe we can remove the container parameter. WDYT of something like:
===================================================================
diff --git a/ee/app/helpers/ee/security_orchestration_helper.rb b/ee/app/helpers/ee/security_orchestration_helper.rb
--- a/ee/app/helpers/ee/security_orchestration_helper.rb (revision aafeaa5c9a3773f176349096cf40352caabf82f8)
+++ b/ee/app/helpers/ee/security_orchestration_helper.rb (date 1773778016280)
@@ -78,7 +78,7 @@
enabled_experiments: enabled_policy_experiments(container),
designated_as_csp: container.designated_as_csp?.to_s,
access_tokens: access_tokens_for_container(container).to_json,
- policy_editor_enabled: policy_editor_enabled?(container).to_s
+ policy_editor_enabled: policy_editor_enabled?.to_s
}
if container.is_a?(::Project)
@@ -90,7 +90,7 @@
end
end
- def policy_editor_enabled?(_container)
+ def policy_editor_enabled?
return false unless current_user&.user_preference
current_user.user_preference.policy_advanced_editor
Thanks for the updates @mcavoj!
I am enabling the auto-merge!
Persist per-project schedules for scan execution policies
Add the security_scan_execution_project_schedules table and ScanExecutionProjectSchedule model to persist per-project random offsets for scheduled scan execution policies.
The RuleScheduleService now creates a project schedule row on every execution (behind the scan_execution_policy_project_schedule_creation feature flag).
.for_rule_schedule
SELECT "security_policies".* FROM "security_policies" WHERE "security_policies"."type" = 1 AND "security_policies"."security_orchestration_policy_configuration_id" = 309 AND "security_policies"."policy_index" = 0Plan: https://console.postgres.ai/gitlab/gitlab-production-main/sessions/49791/commands/148219
Feature.enable(:scan_execution_policy_project_schedule_creation)scan_execution_policy:
- name: Secrets on schedule
description: ''
enabled: true
actions:
- scan: secret_detection
template: latest
variables:
SECURE_ENABLE_LOCAL_CONFIGURATION: 'false'
rules:
- type: schedule
cadence: 0 0 1 * *
branch_type: default
timezone: Europe/Zurich
skip_ci:
allowed: true
schedule = Security::OrchestrationPolicyRuleSchedule.last
schedule.update_columns(next_run_at: 1.day.ago) && Security::OrchestrationPolicyRuleScheduleWorker.new.perform schedule.project_schedules
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #592731
Hi @mbobin, do you have capacity to review this MR?
Marcos Rocha (538f8bc8) at 17 Mar 14:21
Marcos Rocha (96ab6fdf) at 17 Mar 14:21
Merge branch '585656-fix-vulnerability_attributes-for-mrap' into 'm...
... and 1 more commit
Thanks for the updates @Andyschoenen!
backend LGTM!
Hi @mksionek, could you please do the backend maintainer review?
Scheduled Pipeline Execution Policies (SPEP) allow organizations to enforce scheduled pipelines across all projects in a group. However, customers are hesitant to enable these policies in production because they lack visibility into the potential impact — they need to understand how many pipelines will be triggered, how long each will take, and the overall resource cost.
To address this, we are building a test run feature that lets users validate a policy configuration by triggering a dry-run on a single project before enabling the policy at scale. The test run captures pipeline duration and status, which can then be used to estimate the total impact across all projects in scope.
The backend service for creating and tracking test runs was merged in !222053, and the testRuns query field on SecurityPolicyType was added in !226513. This MR adds the GraphQL mutation to trigger a test run and a top-level query to fetch a single test run by ID, completing the API surface needed by the frontend.
PipelineExecutionSchedulePolicyTestRun mutation — Accepts a policy ID and project path, validates the policy is a pipeline_execution_schedule_policy, and delegates to the existing TestRunService to create the pipeline and test run record. Returns the test run and pipeline on success, or an error message on failure.
pipelineExecutionSchedulePolicyTestRun query — A top-level query that resolves a single test run by its global ID, authorized via :read_policy_schedule_test_run (requires push access to the security policy project).
PolicyScheduleTestRunType — GraphQL type exposing: id, state, started_at, finished_at, duration_seconds, error_message, project, pipeline, and a completed boolean that returns true when the run is in either complete or failed state (i.e., no longer running).
completed? model method — Added to ScheduledPipelineExecutionPolicyTestRun so the completed field correctly reflects that a failed run is also "done", not just a successful one.
ScheduledPipelineExecutionPolicyTestRunPolicy — DeclarativePolicy class that delegates project-level permissions and adds a custom :read_policy_schedule_test_run ability for policy authors.
| Operation | Check | Against | Rationale |
|---|---|---|---|
| Trigger test run (mutation) | :push_code |
Security policy project | Only policy editors can trigger — handled by TestRunService
|
| View test run (resolver) | :read_policy_schedule_test_run |
Test run → policy project | Policy authors should see results without needing target project access |
| Render test run fields (type) | :read_security_orchestration_policies |
Test run → target project | Delegates via project policy; gates field-level visibility |
Enable the feature flag:
Feature.enable(:spep_test_run)Set up a group with a security policy project and a scheduled pipeline execution policy (see !222053 for detailed setup steps).
Trigger a test run via the GraphQL mutation:
mutation {
pipelineExecutionSchedulePolicyTestRun(input: {
policyId: "gid://gitlab/Security::Policy/<POLICY_ID>"
projectPath: "your-group/your-project"
}) {
testRun {
id
state
completed
durationSeconds
startedAt
finishedAt
errorMessage
project { fullPath }
pipeline { id status }
}
errors
}
}Verify the mutation returns a test run in running state with a pipeline.
After the pipeline completes, query the test run by ID:
query {
pipelineExecutionSchedulePolicyTestRun(
id: "gid://gitlab/Security::ScheduledPipelineExecutionPolicyTestRun/<TEST_RUN_ID>"
) {
id
state
completed
durationSeconds
startedAt
finishedAt
errorMessage
}
}Verify completed is true and durationSeconds reflects the pipeline duration.
Test error cases:
"Policy must be a pipeline_execution_schedule_policy" error"Policy not found" errorEvaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #586805
Fixes vulnerability attributes (false_positive and fix_available) not being applied to pre-existing vulnerabilities in merge request approval rules.
The root cause is that vulnerability_attribute_false_positive and vulnerability_attribute_fix_available methods were overridden only in ApprovalProjectRule, while the base ApprovalRuleLike concern returned nil. Since ApprovalMergeRequestRule includes ApprovalRuleLike but did not override these methods, it always returned nil, causing pre-existing vulnerabilities to not be filtered by these attributes during MR approval rule synchronization.
This MR moves the implementation from ApprovalProjectRule up to the shared ApprovalRuleLike concern so that both ApprovalProjectRule and ApprovalMergeRequestRule correctly read vulnerability attributes from the associated scan_result_policy_read.
Changelog: fixed EE: true
Closes #585656
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Thanks for removing the pending todo @imam_h!
LGTM!
Fixes vulnerability attributes (false_positive and fix_available) not being applied to pre-existing vulnerabilities in merge request approval rules.
The root cause is that vulnerability_attribute_false_positive and vulnerability_attribute_fix_available methods were overridden only in ApprovalProjectRule, while the base ApprovalRuleLike concern returned nil. Since ApprovalMergeRequestRule includes ApprovalRuleLike but did not override these methods, it always returned nil, causing pre-existing vulnerabilities to not be filtered by these attributes during MR approval rule synchronization.
This MR moves the implementation from ApprovalProjectRule up to the shared ApprovalRuleLike concern so that both ApprovalProjectRule and ApprovalMergeRequestRule correctly read vulnerability attributes from the associated scan_result_policy_read.
Changelog: fixed EE: true
Closes #585656
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Persist per-project schedules for scan execution policies
Add the security_scan_execution_project_schedules table and ScanExecutionProjectSchedule model to persist per-project random offsets for scheduled scan execution policies.
The RuleScheduleService now creates a project schedule row on every execution (behind the scan_execution_policy_project_schedule_creation feature flag).
.for_rule_schedule
SELECT "security_policies".* FROM "security_policies" WHERE "security_policies"."type" = 1 AND "security_policies"."security_orchestration_policy_configuration_id" = 309 AND "security_policies"."policy_index" = 0Plan: https://console.postgres.ai/gitlab/gitlab-production-main/sessions/49791/commands/148219
Feature.enable(:scan_execution_policy_project_schedule_creation)scan_execution_policy:
- name: Secrets on schedule
description: ''
enabled: true
actions:
- scan: secret_detection
template: latest
variables:
SECURE_ENABLE_LOCAL_CONFIGURATION: 'false'
rules:
- type: schedule
cadence: 0 0 1 * *
branch_type: default
timezone: Europe/Zurich
skip_ci:
allowed: true
schedule = Security::OrchestrationPolicyRuleSchedule.last
schedule.update_columns(next_run_at: 1.day.ago) && Security::OrchestrationPolicyRuleScheduleWorker.new.perform schedule.project_schedules
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #592731
Thanks @bauerdominic!
I updated the MR title, description, commit message, and changelog.
Thanks for the quick answer @bauerdominic!
I updated the MR according to your patch!
I don't think it's urgent. The related KEV and EPSS feature has not yet been released.
It seems the query worked after a few retries. Also, we only query for CVE enrichments updated in the last hour. I believe that in the worst case, the query would time out during this one hour, and after that, the job will not find recently CVEs anymore and will end without error, since the CVE enrichments are updated only once per day.