Apply 58 suggestion(s) to 29 file(s)

Co-authored-by: Nwanna Isong <nisong@gitlab.com>

ee/config/metrics/counts_7d/count_distinct_namespace_id_from_scans_enforced_by_active_sep_policy_weekly.yml

+---
+key_path: redis_hll_counters.count_distinct_namespace_id_from_scans_enforced_by_active_sep_policy_weekly
+description: Weekly count of unique namespaces with scan enforced by active Scan Execution Policy
+product_group: security_policies
+performance_indicator_type: []
+value_type: number
+status: active
+milestone: '17.6'
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/170447
+time_frame: 7d
+data_source: internal_events
+data_category: optional
+distribution:
+- ee
+tier:
+- ultimate
+events:
+- name: enforce_scan_execution_policy_in_project
+  unique: namespace.id
+  filter:
+    label: dast
+- name: enforce_scan_execution_policy_in_project
+  unique: namespace.id
+  filter:
+    label: secret_detection
+- name: enforce_scan_execution_policy_in_project
+  unique: namespace.id
+  filter:
+    label: container_scanning
+- name: enforce_scan_execution_policy_in_project
+  unique: namespace.id
+  filter:
+    label: sast
+- name: enforce_scan_execution_policy_in_project
+  unique: namespace.id
+  filter:
+    label: sast_iac
+- name: enforce_scan_execution_policy_in_project
+  unique: namespace.id
+  filter:
+    label: dependency_scanning

ee/config/metrics/counts_7d/count_distinct_namespace_id_from_sd_enforced_by_active_sep_policy_weekly.yml

+---
+key_path: redis_hll_counters.count_distinct_namespace_id_from_sd_enforced_by_active_sep_policy_weekly
+description: Weekly count of unique namespaces with Secret Detection Secret Detection scan enforced by active Scan Execution Policy
+product_group: security_policies
+performance_indicator_type: []
+value_type: number
+status: active
+milestone: '17.6'
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/170447
+time_frame: 7d
+data_source: internal_events
+data_category: optional
+distribution:
+- ee
+tier:
+- ultimate
+events:
+- name: enforce_scan_execution_policy_in_project
+  unique: namespace.id
+  filter:
+    label: secret_detection

ee/config/metrics/counts_7d/count_distinct_project_id_from_label_cs_enforced_by_active_sep_policy_weekly.yml

+---
+key_path: redis_hll_counters.count_distinct_project_id_from_cs_enforced_by_active_sep_policy_weekly
+description: Weekly count of unique projects with Container Scanning scan enforced by active Scan Execution Policy
+product_group: security_policies
+performance_indicator_type: []
+value_type: number
+status: active
+milestone: '17.6'
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/170447
+time_frame: 7d
+data_source: internal_events
+data_category: optional
+distribution:
+- ee
+tier:
+- ultimate
+events:
+- name: enforce_scan_execution_policy_in_project
+  unique: project.id
+  filter:
+    label: container_scanning

ee/config/metrics/counts_7d/count_distinct_project_id_from_label_dast_enforced_by_active_sep_policy_weekly.yml

+---
+key_path: redis_hll_counters.count_distinct_project_id_from_dast_enforced_by_active_sep_policy_weekly
+description: Weekly count of unique projects with DAST scan enforced by active Scan Execution Policy
+product_group: security_policies
+performance_indicator_type: []
+value_type: number
+status: active
+milestone: '17.6'
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/170447
+time_frame: 7d
+data_source: internal_events
+data_category: optional
+distribution:
+- ee
+tier:
+- ultimate
+events:
+- name: enforce_scan_execution_policy_in_project
+  unique: project.id
+  filter:
+    label: dast

ee/config/metrics/counts_7d/count_distinct_project_id_from_label_ds_enforced_by_active_sep_policy_weekly.yml

+---
+key_path: redis_hll_counters.count_distinct_project_id_from_ds_enforced_by_active_sep_policy_weekly
+description: Weekly count of unique projects with Dependency Scanning scan enforced by active Scan Execution Policy
+product_group: security_policies
+performance_indicator_type: []
+value_type: number
+status: active
+milestone: '17.6'
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/170447
+time_frame: 7d
+data_source: internal_events
+data_category: optional
+distribution:
+- ee
+tier:
+- ultimate
+events:
+- name: enforce_scan_execution_policy_in_project
+  unique: project.id
+  filter:
+    label: dependency_scanning

ee/config/metrics/counts_7d/count_distinct_project_id_from_label_sast_enforced_by_active_sep_policy_weekly.yml

+---
+key_path: redis_hll_counters.count_distinct_project_id_from_sast_enforced_by_active_sep_policy_weekly
+description: Weekly count of unique projects with SAST scan enforced by active Scan Execution Policy
+product_group: security_policies
+performance_indicator_type: []
+value_type: number
+status: active
+milestone: '17.6'
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/170447
+time_frame: 7d
+data_source: internal_events
+data_category: optional
+distribution:
+- ee
+tier:
+- ultimate
+events:
+- name: enforce_scan_execution_policy_in_project
+  unique: project.id
+  filter:
+    label: sast

ee/config/metrics/counts_7d/count_distinct_project_id_from_label_sast_iac_enforced_by_active_sep_policy_weekly.yml

+---
+key_path: redis_hll_counters.count_distinct_project_id_from_sast_iac_enforced_by_active_sep_policy_weekly
+description: Weekly count of unique projects with SAST IaC scan enforced by active Scan Execution Policy
+product_group: security_policies
+performance_indicator_type: []
+value_type: number
+status: active
+milestone: '17.6'
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/170447
+time_frame: 7d
+data_source: internal_events
+data_category: optional
+distribution:
+- ee
+tier:
+- ultimate
+events:
+- name: enforce_scan_execution_policy_in_project
+  unique: project.id
+  filter:
+    label: sast_iac

ee/config/metrics/counts_7d/count_distinct_project_id_from_label_scans_enforced_by_active_sep_policy_weekly.yml

+---
+key_path: redis_hll_counters.count_distinct_project_id_from_scans_enforced_by_active_sep_policy_weekly
+description: Weekly count of unique projects with scans enforced by active Scan Execution Policy
+product_group: security_policies
+performance_indicator_type: []
+value_type: number
+status: active
+milestone: '17.6'
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/170447
+time_frame: 7d
+data_source: internal_events
+data_category: optional
+distribution:
+- ee
+tier:
+- ultimate
+events:
+- name: enforce_scan_execution_policy_in_project
+  unique: project.id
+  filter:
+    label: dast
+- name: enforce_scan_execution_policy_in_project
+  unique: project.id
+  filter:
+    label: secret_detection
+- name: enforce_scan_execution_policy_in_project
+  unique: project.id
+  filter:
+    label: container_scanning
+- name: enforce_scan_execution_policy_in_project
+  unique: project.id
+  filter:
+    label: sast
+- name: enforce_scan_execution_policy_in_project
+  unique: project.id
+  filter:
+    label: sast_iac
+- name: enforce_scan_execution_policy_in_project
+  unique: project.id
+  filter:
+    label: dependency_scanning

ee/config/metrics/counts_7d/count_distinct_project_id_from_label_sd_enforced_by_active_sep_policy_weekly.yml

+---
+key_path: redis_hll_counters.count_distinct_project_id_from_sd_enforced_by_active_sep_policy_weekly
+description: Weekly count of unique projects with Secret Detection scan enforced by active Scan Execution Policy
+product_group: security_policies
+performance_indicator_type: []
+value_type: number
+status: active
+milestone: '17.6'
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/170447
+time_frame: 7d
+data_source: internal_events
+data_category: optional
+distribution:
+- ee
+tier:
+- ultimate
+events:
+- name: enforce_scan_execution_policy_in_project
+  unique: project.id
+  filter:
+    label: secret_detection

ee/lib/gitlab/ci/config/security_orchestration_policies/processor.rb

@@ -6,6 +6,7 @@ class Config
       module SecurityOrchestrationPolicies
         class Processor
           include Gitlab::Utils::StrongMemoize
+          include ::Gitlab::InternalEventsTracking
 
           DEFAULT_ON_DEMAND_STAGE = 'dast'
           DEFAULT_SECURITY_JOB_STAGE = 'test'
@@ -34,6 +35,7 @@ def perform
             merged_config[:stages] = cleanup_stages(merged_config[:stages])
             merged_config.delete(:stages) if merged_config[:stages].blank?
 
+            track_internal_events_for_enforced_scans
             observe_processing_duration(Time.current - @start)
 
             merged_config
@@ -144,6 +146,20 @@ def active_scan_template_actions
           end
           strong_memoize_attr :active_scan_template_actions
 
+          def track_internal_events_for_enforced_scans
+            active_scan_template_actions.each do |action|
+              next unless action[:scan]
+
+              track_internal_event(
+                'enforce_scan_execution_policy_in_project',
+                project: project,
+                additional_properties: {
+                  label: action[:scan]
+                }
+              )
+            end
+          end
+
           def observe_processing_duration(duration)
             ::Gitlab::Ci::Pipeline::Metrics
               .pipeline_security_orchestration_policy_processing_duration_histogram

ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb

@@ -46,7 +46,10 @@
   let_it_be(:policy) do
     build(:scan_execution_policy, actions: [
       { scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' },
-      { scan: 'secret_detection' }
+      { scan: 'secret_detection' },
+      { scan: 'container_scanning' },
+      { scan: 'sast_iac' },
+      { scan: 'dependency_scanning' }
     ])
   end
 
@@ -193,6 +196,10 @@
       [build(:scan_execution_policy, rules: [{ type: 'pipeline', branches: 'production' }])])
     end
 
+    it 'does not track internal metrics' do
+      expect { perform_service }.not_to trigger_internal_events('enforce_scan_execution_policy_in_project')
+    end
+
     it 'does not modify the config', :aggregate_failures do
       expect(config).not_to receive(:deep_merge)
       expect(perform_service).to eq(config)
@@ -203,6 +210,10 @@
     it 'does not modify the config' do
       expect(perform_service).to eq(config)
     end
+
+    it 'does not track internal metrics' do
+      expect { perform_service }.not_to trigger_internal_events('enforce_scan_execution_policy_in_project')
+    end
   end
 
   context 'when feature is licensed' do
@@ -269,6 +280,30 @@
         end
       end
 
+      context 'when sast, dast and secret_detection scans are enforced' do
+        it 'tracks event' do
+          expect { perform_service }
+            .to trigger_internal_events('enforce_scan_execution_policy_in_project')
+            .with(project: project, additional_properties: { label: 'dast' })
+            .once
+          .and trigger_internal_events('enforce_scan_execution_policy_in_project')
+            .with(project: project, additional_properties: { label: 'sast' })
+            .once
+          .and trigger_internal_events('enforce_scan_execution_policy_in_project')
+            .with(project: project, additional_properties: { label: 'secret_detection' })
+            .once
+          .and trigger_internal_events('enforce_scan_execution_policy_in_project')
+            .with(project: project, additional_properties: { label: 'container_scanning' })
+            .once
+          .and trigger_internal_events('enforce_scan_execution_policy_in_project')
+            .with(project: project, additional_properties: { label: 'sast_iac' })
+            .once
+          .and trigger_internal_events('enforce_scan_execution_policy_in_project')
+            .with(project: project, additional_properties: { label: 'dependency_scanning' })
+            .once
+        end
+      end
+
       it_behaves_like 'with pipeline source applicable for CI'
       it_behaves_like 'when policy is invalid'