diff --git a/ee/app/workers/security/process_scan_result_policy_worker.rb b/ee/app/workers/security/process_scan_result_policy_worker.rb
index 4697f91c1cd6ab357a0f40907befd8277ce9a3f2..d2a9d0891c5f7674243fd9217873c502c359d6a7 100644
--- a/ee/app/workers/security/process_scan_result_policy_worker.rb
+++ b/ee/app/workers/security/process_scan_result_policy_worker.rb
@@ -51,7 +51,7 @@ def sync_policies(project, configuration)
measure_and_log(:policy_creation) do
configuration
- .applicable_scan_result_policies_with_real_index(project) do |policy, policy_idx, real_policy_idx|
+ .applicable_scan_result_policies_with_real_index(project) do |policy, real_policy_idx, policy_idx|
Security::SecurityOrchestrationPolicies::ProcessScanResultPolicyService.new(
project: project,
policy_configuration: configuration,
diff --git a/ee/spec/workers/security/process_scan_result_policy_worker_spec.rb b/ee/spec/workers/security/process_scan_result_policy_worker_spec.rb
index 97da4b3ac8e4f4269efcc5fcb8efe7f568d30cdb..b6f3e600536ddc07aae15aec26624b758e1a5bd3 100644
--- a/ee/spec/workers/security/process_scan_result_policy_worker_spec.rb
+++ b/ee/spec/workers/security/process_scan_result_policy_worker_spec.rb
@@ -126,6 +126,83 @@
end
end
+ context 'with multiple policies' do
+ let(:policies) do
+ {
+ scan_execution_policy: [],
+ scan_result_policy:
+ [
+ {
+ name: 'CS critical policy',
+ description: 'This policy with CS for critical policy',
+ enabled: true,
+ rules: [
+ { type: 'scan_finding', branches: %w[production], vulnerabilities_allowed: 0,
+ severity_levels: %w[critical], scanners: %w[container_scanning],
+ vulnerability_states: %w[newly_detected] }
+ ],
+ actions: [
+ { type: 'require_approval', approvals_required: 1, user_approvers: %w[admin] }
+ ]
+ },
+ {
+ name: 'Disabled policy',
+ description: 'This policy with CS for critical policy',
+ enabled: false,
+ rules: [
+ { type: 'scan_finding', branches: %w[production], vulnerabilities_allowed: 0,
+ severity_levels: %w[critical], scanners: %w[container_scanning],
+ vulnerability_states: %w[newly_detected] }
+ ],
+ actions: [
+ { type: 'require_approval', approvals_required: 1, user_approvers: %w[admin] }
+ ]
+ },
+ {
+ name: 'DS critical policy',
+ description: 'This policy with DS for critical policy',
+ enabled: true,
+ rules: [
+ { type: 'scan_finding', branches: %w[production], vulnerabilities_allowed: 0,
+ severity_levels: %w[critical], scanners: %w[dependency_scanning],
+ vulnerability_states: %w[newly_detected] }
+ ],
+ actions: [
+ { type: 'require_approval', approvals_required: 1, user_approvers: %w[admin] }
+ ]
+ }
+ ]
+ }
+ end
+
+ it_behaves_like 'when policy is applicable based on the policy scope configuration' do
+ it 'calls service with correct policy_index and real_policy_index' do
+ expect_next_instance_of(
+ Security::SecurityOrchestrationPolicies::ProcessScanResultPolicyService,
+ project: configuration.project,
+ policy_configuration: configuration,
+ policy: active_scan_result_policies[0],
+ policy_index: 0,
+ real_policy_index: 0
+ ) do |service|
+ expect(service).to receive(:execute)
+ end
+ expect_next_instance_of(
+ Security::SecurityOrchestrationPolicies::ProcessScanResultPolicyService,
+ project: configuration.project,
+ policy_configuration: configuration,
+ policy: active_scan_result_policies[1],
+ policy_index: 1,
+ real_policy_index: 2
+ ) do |service|
+ expect(service).to receive(:execute)
+ end
+
+ worker.perform(configuration.project_id, configuration.id)
+ end
+ end
+ end
+
context 'without transaction' do
it 'does not wrap the execution within transaction' do
expect(Security::OrchestrationPolicyConfiguration).not_to receive(:transaction).and_yield