Add security policy scheduled scans concurrency limit

This MR adds a new application setting to define the number of concurrent CreatePipelineWorker jobs that can run concurrently. Changelog: added EE: true

Add security policy scheduled scans concurrency limit
74f4cd3b · Marcos Rocha · GitLab · cc867665 · 74f4cd3b · 74f4cd3b
--- a/app/views/admin/application_settings/_ci_cd.html.haml
+++ b/app/views/admin/application_settings/_ci_cd.html.haml
@@ -67,6 +67,8 @@
      .form-group
        = f.gitlab_ui_checkbox_component :enable_artifact_external_redirect_warning_page, s_('AdminSettings|Enable the external redirect warning page for job artifacts'), help_text: s_('AdminSettings|Show a redirect page that warns you about user-generated content in GitLab Pages.')

+      = render_if_exists 'admin/application_settings/security_policy_scheduled_scans_max_concurrency', form: f
+
    = f.submit _('Save changes'), pajamas_button: true

  .gl-mt-7

--- a/db/migrate/20240513191113_add_security_policy_scheduled_scans_max_concurrency_to_application_settings.rb
+++ b/db/migrate/20240513191113_add_security_policy_scheduled_scans_max_concurrency_to_application_settings.rb
+# frozen_string_literal: true
+
+class AddSecurityPolicyScheduledScansMaxConcurrencyToApplicationSettings < Gitlab::Database::Migration[2.2]
+  milestone '17.1'
+
+  def up
+    add_column :application_settings,
+      :security_policy_scheduled_scans_max_concurrency,
+      :integer,
+      default: 100,
+      null: false,
+      if_not_exists: true
+  end
+
+  def down
+    remove_column :application_settings, :security_policy_scheduled_scans_max_concurrency
+  end
+end
--- a/db/schema_migrations/20240513191113
+++ b/db/schema_migrations/20240513191113
+30bfce88068178c5b0dfd7ae34158322bfaec6490161fe46bb4436940303ac84
\ No newline at end of file
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -4590,6 +4590,7 @@ CREATE TABLE application_settings (
    package_registry jsonb DEFAULT '{}'::jsonb NOT NULL,
    rate_limits_unauthenticated_git_http jsonb DEFAULT '{}'::jsonb NOT NULL,
    importers jsonb DEFAULT '{}'::jsonb NOT NULL,
+    security_policy_scheduled_scans_max_concurrency integer DEFAULT 100 NOT NULL,
    CONSTRAINT app_settings_container_reg_cleanup_tags_max_list_size_positive CHECK ((container_registry_cleanup_tags_service_max_list_size >= 0)),
    CONSTRAINT app_settings_container_registry_pre_import_tags_rate_positive CHECK ((container_registry_pre_import_tags_rate >= (0)::numeric)),
    CONSTRAINT app_settings_dep_proxy_ttl_policies_worker_capacity_positive CHECK ((dependency_proxy_ttl_group_policy_worker_capacity >= 0)),
--- a/ee/app/helpers/ee/application_settings_helper.rb
+++ b/ee/app/helpers/ee/application_settings_helper.rb
@@ -57,6 +57,7 @@ def visible_attributes
        :secret_detection_token_revocation_url,
        :secret_detection_token_revocation_token,
        :secret_detection_revocation_token_types_url,
+        :security_policy_scheduled_scans_max_concurrency,
        :shared_runners_minutes,
        :throttle_incident_management_notification_enabled,
        :throttle_incident_management_notification_per_period,

--- a/ee/app/models/ee/application_setting.rb
+++ b/ee/app/models/ee/application_setting.rb
@@ -193,6 +193,10 @@ module ApplicationSetting

      validates :zoekt_settings, json_schema: { filename: 'application_setting_zoekt_settings' }

+      validates :security_policy_scheduled_scans_max_concurrency,
+        presence: true,
+        numericality: { only_integer: true, greater_than_or_equal_to: 0 }
+
      after_commit :update_personal_access_tokens_lifetime, if: :saved_change_to_max_personal_access_token_lifetime?
      after_commit :resume_elasticsearch_indexing
    end
@@ -246,6 +250,7 @@ def defaults
          secret_detection_token_revocation_url: nil,
          secret_detection_token_revocation_token: nil,
          secret_detection_revocation_token_types_url: nil,
+          security_policy_scheduled_scans_max_concurrency: 100,
          max_number_of_repository_downloads: 0,
          max_number_of_repository_downloads_within_time_period: 0,
          git_rate_limit_users_allowlist: [],

--- a/ee/app/views/admin/application_settings/_security_policy_scheduled_scans_max_concurrency.html.haml
+++ b/ee/app/views/admin/application_settings/_security_policy_scheduled_scans_max_concurrency.html.haml
+- return unless License.current&.ultimate?
+
+.form-group
+  = form.label :security_policy_scheduled_scans_max_concurrency, s_('SecurityOrchestration|Security policy scheduled scans maximum concurrency'), class: 'label-bold'
+  = form.number_field :security_policy_scheduled_scans_max_concurrency, class: 'form-control gl-form-input'
--- a/ee/spec/models/application_setting_spec.rb
+++ b/ee/spec/models/application_setting_spec.rb
@@ -95,6 +95,12 @@
                         .is_greater_than_or_equal_to(5)
                         .is_less_than_or_equal_to(::Security::ScanResultPolicy::POLICIES_LIMIT)
      end
+
+      it do
+        is_expected.to validate_numericality_of(:security_policy_scheduled_scans_max_concurrency)
+                         .only_integer
+                         .is_greater_than_or_equal_to(0)
+      end
    end

    describe 'future_subscriptions', feature_category: :subscription_management do

--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -47104,6 +47104,9 @@ msgstr ""
 msgid "SecurityOrchestration|Security policy projects store your organization's security policies. They are identified when policies are created, or when a project is linked as a security policy project. %{linkStart}Learn more%{linkEnd}."
 msgstr ""
  
+msgid "SecurityOrchestration|Security policy scheduled scans maximum concurrency"
+msgstr ""
+
 msgid "SecurityOrchestration|Select a project to store your security policies in. %{linkStart}More information.%{linkEnd}"
 msgstr ""