From 228798284c942b56576ec207e56e83892c59554e Mon Sep 17 00:00:00 2001
From: Zamir Martins Filho <zfilho@gitlab.com>
Date: Mon, 7 Feb 2022 15:50:38 -0500
Subject: [PATCH 1/4] Add main body for scan result policy rule mode

to be further extended with policy rule and
action builders.

EE: true
---
 .../scan_result_policy/lib/from_yaml.js       |  46 +++++-
 .../scan_result_policy_editor.vue             | 144 ++++++++++++++++--
 .../scan_result_policy/lib/from_yaml_spec.js  | 128 ++++++++++++++++
 .../scan_result_policy_editor_spec.js         |  68 ++++++++-
 .../threat_monitoring/mocks/mock_data.js      |   8 +-
 5 files changed, 378 insertions(+), 16 deletions(-)
 create mode 100644 ee/spec/frontend/threat_monitoring/components/policy_editor/scan_result_policy/lib/from_yaml_spec.js

diff --git a/ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/lib/from_yaml.js b/ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/lib/from_yaml.js
index b93cf76c241f14..6110d71890c482 100644
--- a/ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/lib/from_yaml.js
+++ b/ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/lib/from_yaml.js
@@ -1,8 +1,52 @@
 import { safeLoad } from 'js-yaml';
 
+/**
+ * Checks for parameters unsupported by the scan result policy "Rule Mode"
+ * @param {String} manifest YAML of scan result policy
+ * @returns {Boolean} whether the YAML is valid to be parsed into "Rule Mode"
+ */
+const hasUnsupportedAttribute = (manifest) => {
+  const primaryKeys = ['type', 'name', 'description', 'enabled', 'rules', 'actions'];
+  const rulesKeys = [
+    'type',
+    'branches',
+    'scanners',
+    'vulnerabilities_allowed',
+    'severity_levels',
+    'vulnerability_states',
+  ];
+  const actionsKeys = [
+    'type',
+    'approvals_required',
+    'user_approvers',
+    'group_approvers',
+    'user_approvers_ids',
+    'group_approvers_ids',
+  ];
+
+  let isUnsupported = false;
+  const hasInvalidKey = (object, allowedValues) => {
+    return !Object.keys(object).every((item) => allowedValues.includes(item));
+  };
+
+  isUnsupported = hasInvalidKey(manifest, primaryKeys);
+
+  if (manifest?.rules && !isUnsupported) {
+    isUnsupported = manifest.rules.find((rule) => hasInvalidKey(rule, rulesKeys));
+  }
+  if (manifest?.actions && !isUnsupported) {
+    isUnsupported = manifest.actions.find((action) => hasInvalidKey(action, actionsKeys));
+  }
+
+  return isUnsupported;
+};
+
 /*
   Construct a policy object expected by the policy editor from a yaml manifest.
 */
 export const fromYaml = (manifest) => {
-  return safeLoad(manifest, { json: true });
+  const policy = safeLoad(manifest, { json: true });
+  if (hasUnsupportedAttribute(policy)) return { error: true };
+
+  return policy;
 };
diff --git a/ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/scan_result_policy_editor.vue b/ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/scan_result_policy_editor.vue
index 811e5ccec3d699..5d8865488433bb 100644
--- a/ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/scan_result_policy_editor.vue
+++ b/ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/scan_result_policy_editor.vue
@@ -1,31 +1,54 @@
 <script>
-import { GlEmptyState } from '@gitlab/ui';
+import {
+  GlEmptyState,
+  GlButton,
+  GlToggle,
+  GlFormGroup,
+  GlFormInput,
+  GlFormTextarea,
+  GlAlert,
+} from '@gitlab/ui';
 import { joinPaths, visitUrl, setUrlFragment } from '~/lib/utils/url_utility';
 import { __, s__ } from '~/locale';
 import {
-  EDITOR_MODES,
   EDITOR_MODE_YAML,
   SECURITY_POLICY_ACTIONS,
   GRAPHQL_ERROR_MESSAGE,
+  PARSING_ERROR_MESSAGE,
 } from '../constants';
 import PolicyEditorLayout from '../policy_editor_layout.vue';
 import { assignSecurityPolicyProject, modifyPolicy } from '../utils';
+import DimDisableContainer from '../dim_disable_container.vue';
 import { DEFAULT_SCAN_RESULT_POLICY, fromYaml, toYaml } from './lib';
 
 export default {
   SECURITY_POLICY_ACTIONS,
-  DEFAULT_EDITOR_MODE: EDITOR_MODE_YAML,
-  EDITOR_MODES: [EDITOR_MODES[1]],
+  EDITOR_MODE_YAML,
   i18n: {
+    PARSING_ERROR_MESSAGE,
+    addRule: s__('SecurityOrchestration|Add rule'),
+    description: __('Description'),
+    name: __('Name'),
+    toggleLabel: s__('SecurityOrchestration|Policy status'),
+    rules: s__('SecurityOrchestration|Rules'),
     createMergeRequest: __('Create via merge request'),
     notOwnerButtonText: __('Learn more'),
     notOwnerDescription: s__(
       'SecurityOrchestration|Scan result policies can only be created by project owners.',
     ),
+    yamlPreview: s__('SecurityOrchestration|.yaml preview'),
+    actions: s__('SecurityOrchestration|Actions'),
   },
   components: {
     GlEmptyState,
+    GlButton,
+    GlToggle,
+    GlFormGroup,
+    GlFormInput,
+    GlFormTextarea,
+    GlAlert,
     PolicyEditorLayout,
+    DimDisableContainer,
   },
   inject: [
     'disableScanPolicyUpdate',
@@ -67,6 +90,8 @@ export default {
         this.scanPolicyDocumentationPath,
         'scan-result-policy-editor',
       ),
+      yamlEditorError: null,
+      mode: EDITOR_MODE_YAML,
     };
   },
   computed: {
@@ -78,6 +103,15 @@ export default {
         ? this.$options.SECURITY_POLICY_ACTIONS.REPLACE
         : this.$options.SECURITY_POLICY_ACTIONS.APPEND;
     },
+    policyYaml() {
+      return this.hasParsingError ? '' : toYaml(this.policy);
+    },
+    hasParsingError() {
+      return Boolean(this.yamlEditorError);
+    },
+    isWithinLimit() {
+      return this.policy.rules.length < 5;
+    },
   },
   methods: {
     handleError(error) {
@@ -102,13 +136,14 @@ export default {
 
       try {
         const assignedPolicyProject = await this.getSecurityPolicyProject();
-
+        const yamlValue =
+          this.mode === EDITOR_MODE_YAML ? this.yamlEditorValue : toYaml(this.policy);
         const mergeRequest = await modifyPolicy({
           action,
           assignedPolicyProject,
           name: this.originalName || fromYaml(this.yamlEditorValue)?.name,
           projectPath: this.projectPath,
-          yamlEditorValue: this.yamlEditorValue,
+          yamlEditorValue: yamlValue,
         });
 
         this.redirectToMergeRequest({ mergeRequest, assignedPolicyProject });
@@ -136,6 +171,23 @@ export default {
     },
     updateYaml(manifest) {
       this.yamlEditorValue = manifest;
+      this.yamlEditorError = null;
+
+      try {
+        const newPolicy = fromYaml(manifest);
+        if (newPolicy.error) {
+          throw new Error(newPolicy.error);
+        }
+        Object.assign(this.policy, newPolicy);
+      } catch (error) {
+        this.yamlEditorError = error;
+      }
+    },
+    changeEditorMode(mode) {
+      this.mode = mode;
+      if (mode === EDITOR_MODE_YAML && !this.hasParsingError) {
+        this.yamlEditorValue = toYaml(this.policy);
+      }
     },
   },
 };
@@ -145,8 +197,7 @@ export default {
   <policy-editor-layout
     v-if="!disableScanPolicyUpdate"
     :custom-save-button-text="$options.i18n.createMergeRequest"
-    :default-editor-mode="$options.DEFAULT_EDITOR_MODE"
-    :editor-modes="$options.EDITOR_MODES"
+    :default-editor-mode="$options.EDITOR_MODE_YAML"
     :is-editing="isEditing"
     :is-removing-policy="isRemovingPolicy"
     :is-updating-policy="isCreatingMR"
@@ -155,7 +206,82 @@ export default {
     @remove-policy="handleModifyPolicy($options.SECURITY_POLICY_ACTIONS.REMOVE)"
     @save-policy="handleModifyPolicy()"
     @update-yaml="updateYaml"
-  />
+    @update-editor-mode="changeEditorMode"
+  >
+    <template #rule-editor>
+      <gl-alert
+        v-if="hasParsingError"
+        data-testid="parsing-alert"
+        class="gl-mb-5"
+        :dismissible="false"
+      >
+        {{ $options.i18n.PARSING_ERROR_MESSAGE }}
+      </gl-alert>
+
+      <gl-form-group :label="$options.i18n.name" label-for="policyName">
+        <gl-form-input id="policyName" v-model="policy.name" :disabled="hasParsingError" />
+      </gl-form-group>
+
+      <gl-form-group :label="$options.i18n.description" label-for="policyDescription">
+        <gl-form-textarea
+          id="policyDescription"
+          v-model="policy.description"
+          :disabled="hasParsingError"
+        />
+      </gl-form-group>
+
+      <gl-form-group :disabled="hasParsingError" data-testid="policy-enable">
+        <gl-toggle
+          v-model="policy.enabled"
+          :label="$options.i18n.toggleLabel"
+          :disabled="hasParsingError"
+        />
+      </gl-form-group>
+
+      <dim-disable-container data-testid="rule-builder-container" :disabled="hasParsingError">
+        <template #title>
+          <h4>{{ $options.i18n.rules }}</h4>
+        </template>
+
+        <template #disabled>
+          <div
+            class="gl-bg-gray-10 gl-border-solid gl-border-1 gl-border-gray-100 gl-rounded-base gl-p-6"
+          ></div>
+        </template>
+
+        <div
+          v-if="isWithinLimit"
+          class="gl-p-5 gl-rounded-base gl-border-1 gl-border-solid gl-border-gray-100 gl-mb-5 gl-bg-gray-10"
+        >
+          <gl-button variant="link" data-testid="add-rule" icon="plus" disabled>
+            {{ $options.i18n.addRule }}
+          </gl-button>
+        </div>
+      </dim-disable-container>
+
+      <dim-disable-container data-testid="action-container" :disabled="hasParsingError">
+        <template #title>
+          <h4>{{ $options.i18n.actions }}</h4>
+        </template>
+
+        <template #disabled>
+          <div
+            class="gl-bg-gray-10 gl-border-solid gl-border-1 gl-border-gray-100 gl-rounded-base gl-p-6"
+          ></div>
+        </template>
+      </dim-disable-container>
+    </template>
+
+    <template #rule-editor-preview>
+      <h5>{{ $options.i18n.yamlPreview }}</h5>
+      <pre
+        data-testid="yaml-preview"
+        class="gl-bg-white gl-border-none gl-p-0"
+        :class="{ 'gl-opacity-5': hasParsingError }"
+        >{{ policyYaml || yamlEditorValue }}</pre
+      >
+    </template>
+  </policy-editor-layout>
   <gl-empty-state
     v-else
     :description="$options.i18n.notOwnerDescription"
diff --git a/ee/spec/frontend/threat_monitoring/components/policy_editor/scan_result_policy/lib/from_yaml_spec.js b/ee/spec/frontend/threat_monitoring/components/policy_editor/scan_result_policy/lib/from_yaml_spec.js
new file mode 100644
index 00000000000000..b95a958d43290f
--- /dev/null
+++ b/ee/spec/frontend/threat_monitoring/components/policy_editor/scan_result_policy/lib/from_yaml_spec.js
@@ -0,0 +1,128 @@
+import { fromYaml } from 'ee/threat_monitoring/components/policy_editor/scan_result_policy/lib';
+
+const validManifest = `type: scan_result_policy
+name: critical vulnerability CS approvals
+description: critical severity level only for container scanning
+enabled: true
+rules:
+  - type: scan_finding
+    branches: []
+    scanners:
+      - container_scanning
+    vulnerabilities_allowed: 1
+    severity_levels:
+      - critical
+    vulnerability_states:
+      - newly_detected
+actions:
+  - type: require_approval
+    approvals_required: 1
+    user_approvers:
+      - o.lecia.conner
+    group_approvers_ids:
+      - 343
+`;
+
+const invalidPrimaryKeys = `type: scan_result_policy
+name: critical vulnerability CS approvals
+description: critical severity level only for container scanning
+invalidEnabledKey: false
+rules:
+  - type: scan_finding
+    branches: []
+    scanners:
+      - container_scanning
+    vulnerabilities_allowed: 1
+    severity_levels:
+      - critical
+    vulnerability_states:
+      - newly_detected
+actions:
+  - type: require_approval
+    approvals_required: 1
+    user_approvers:
+      - o.lecia.conner
+    group_approvers_ids:
+      - 343
+`;
+const invalidRuleKeys = `type: scan_result_policy
+name: critical vulnerability CS approvals
+description: critical severity level only for container scanning
+enabled: true
+rules:
+  - type: scan_finding
+    brunch: []
+    scanners:
+      - container_scanning
+    vulnerabilities_allowed: 1
+    severity_levels:
+      - critical
+    vulnerability_states:
+      - newly_detected
+actions:
+  - type: require_approval
+    approvals_required: 1
+    user_approvers:
+      - o.lecia.conner
+    group_approvers_ids:
+      - 343
+`;
+
+const invalidActionKeys = `type: scan_result_policy
+name: critical vulnerability CS approvals
+description: critical severity level only for container scanning
+enabled: true
+rules:
+  - type: scan_finding
+    branches: []
+    scanners:
+      - container_scanning
+    vulnerabilities_allowed: 1
+    severity_levels:
+      - critical
+    vulnerability_states:
+      - newly_detected
+actions:
+  - type: require_approval
+    approvals_required: 1
+    favorite_approvers:
+      - o.lecia.conner
+    group_approvers_ids:
+      - 343
+`;
+
+describe('fromYaml', () => {
+  it('returns policy as json with not error', () => {
+    expect(fromYaml(validManifest)).toStrictEqual({
+      actions: [
+        {
+          approvals_required: 1,
+          group_approvers_ids: [343],
+          type: 'require_approval',
+          user_approvers: ['o.lecia.conner'],
+        },
+      ],
+      description: 'critical severity level only for container scanning',
+      enabled: true,
+      name: 'critical vulnerability CS approvals',
+      rules: [
+        {
+          branches: [],
+          scanners: ['container_scanning'],
+          severity_levels: ['critical'],
+          type: 'scan_finding',
+          vulnerabilities_allowed: 1,
+          vulnerability_states: ['newly_detected'],
+        },
+      ],
+      type: 'scan_result_policy',
+    });
+  });
+
+  it.each([invalidPrimaryKeys, invalidRuleKeys, invalidActionKeys])(
+    'returns hash with error set to true',
+    ({ invalidManifest }) => {
+      expect(fromYaml(invalidManifest)).toStrictEqual({ error: true });
+    },
+  );
+});
diff --git a/ee/spec/frontend/threat_monitoring/components/policy_editor/scan_result_policy/scan_result_policy_editor_spec.js b/ee/spec/frontend/threat_monitoring/components/policy_editor/scan_result_policy/scan_result_policy_editor_spec.js
index b1ca7c27183d2d..75b5ae7acba84c 100644
--- a/ee/spec/frontend/threat_monitoring/components/policy_editor/scan_result_policy/scan_result_policy_editor_spec.js
+++ b/ee/spec/frontend/threat_monitoring/components/policy_editor/scan_result_policy/scan_result_policy_editor_spec.js
@@ -1,5 +1,5 @@
 import { shallowMount } from '@vue/test-utils';
-import { GlEmptyState } from '@gitlab/ui';
+import { GlEmptyState, GlAlert, GlFormInput, GlFormTextarea, GlToggle } from '@gitlab/ui';
 import { nextTick } from 'vue';
 import waitForPromises from 'helpers/wait_for_promises';
 import PolicyEditorLayout from 'ee/threat_monitoring/components/policy_editor/policy_editor_layout.vue';
@@ -16,7 +16,11 @@ import {
 import { visitUrl } from '~/lib/utils/url_utility';
 
 import { modifyPolicy } from 'ee/threat_monitoring/components/policy_editor/utils';
-import { SECURITY_POLICY_ACTIONS } from 'ee/threat_monitoring/components/policy_editor/constants';
+import {
+  SECURITY_POLICY_ACTIONS,
+  EDITOR_MODE_YAML,
+} from 'ee/threat_monitoring/components/policy_editor/constants';
+import DimDisableContainer from 'ee/threat_monitoring/components/policy_editor/dim_disable_container.vue';
 
 jest.mock('~/lib/utils/url_utility', () => ({
   joinPaths: jest.requireActual('~/lib/utils/url_utility').joinPaths,
@@ -77,6 +81,13 @@ describe('ScanResultPolicyEditor', () => {
 
   const findEmptyState = () => wrapper.findComponent(GlEmptyState);
   const findPolicyEditorLayout = () => wrapper.findComponent(PolicyEditorLayout);
+  const findAddRuleButton = () => wrapper.find('[data-testid="add-rule"]');
+  const findAlert = () => wrapper.findComponent(GlAlert);
+  const findNameInput = () => wrapper.findComponent(GlFormInput);
+  const findDescriptionTextArea = () => wrapper.findComponent(GlFormTextarea);
+  const findEnableToggle = () => wrapper.findComponent(GlToggle);
+  const findAllDisabledComponents = () => wrapper.findAllComponents(DimDisableContainer);
+  const findYamlPreview = () => wrapper.find('[data-testid="yaml-preview"]');
 
   afterEach(() => {
     wrapper.destroy();
@@ -94,6 +105,59 @@ describe('ScanResultPolicyEditor', () => {
       expect(findPolicyEditorLayout().attributes('yamleditorvalue')).toBe(newManifest);
     });
 
+    it('disables add rule button until feature is merged', async () => {
+      factory();
+      await nextTick();
+      expect(findAddRuleButton().props('disabled')).toBe(true);
+    });
+
+    it('displays alert for invalid yaml', async () => {
+      factory();
+      await nextTick();
+      expect(findAlert().exists()).toBe(false);
+      await findPolicyEditorLayout().vm.$emit('update-yaml', 'invalid manifest');
+      expect(findAlert().exists()).toBe(true);
+    });
+
+    it('disables all rule mode related components when the yaml is invalid', async () => {
+      factory();
+      await nextTick();
+      await findPolicyEditorLayout().vm.$emit('update-yaml', 'invalid manifest');
+      expect(findNameInput().attributes('disabled')).toBe('true');
+      expect(findDescriptionTextArea().attributes('disabled')).toBe('true');
+      expect(findEnableToggle().props('disabled')).toBe(true);
+      expect(findAllDisabledComponents().at(0).props('disabled')).toBe(true);
+      expect(findAllDisabledComponents().at(1).props('disabled')).toBe(true);
+    });
+
+    it('defaults to YAML mode', async () => {
+      factory();
+      await nextTick();
+      expect(findPolicyEditorLayout().attributes().defaulteditormode).toBe(EDITOR_MODE_YAML);
+    });
+
+    describe.each`
+      currentComponent           | newValue                    | event
+      ${findNameInput}           | ${'new policy name'}        | ${'input'}
+      ${findDescriptionTextArea} | ${'new policy description'} | ${'input'}
+      ${findEnableToggle}        | ${true}                     | ${'change'}
+    `('triggering a change on $currentComponent', ({ currentComponent, newValue, event }) => {
+      it('updates YAML when switching modes', async () => {
+        factory();
+        await nextTick();
+        await currentComponent().vm.$emit(event, newValue);
+        await findPolicyEditorLayout().vm.$emit('update-editor-mode', EDITOR_MODE_YAML);
+        expect(findPolicyEditorLayout().attributes('yamleditorvalue')).toMatch(newValue.toString());
+      });
+
+      it('updates the yaml preview', async () => {
+        factory();
+        await nextTick();
+        await currentComponent().vm.$emit(event, newValue);
+        expect(findYamlPreview().html()).toMatch(newValue.toString());
+      });
+    });
+
     it.each`
       status                            | action                             | event              | factoryFn                    | yamlEditorValue               | currentlyAssignedPolicyProject
       ${'to save a new policy'}         | ${SECURITY_POLICY_ACTIONS.APPEND}  | ${'save-policy'}   | ${factory}                   | ${DEFAULT_SCAN_RESULT_POLICY} | ${newlyCreatedPolicyProject}
diff --git a/ee/spec/frontend/threat_monitoring/mocks/mock_data.js b/ee/spec/frontend/threat_monitoring/mocks/mock_data.js
index 00468ba8745bdb..3c797b803f23ce 100644
--- a/ee/spec/frontend/threat_monitoring/mocks/mock_data.js
+++ b/ee/spec/frontend/threat_monitoring/mocks/mock_data.js
@@ -210,11 +210,11 @@ rules:
       - main
     scanners:
       - container_scanning
-    vulnerability_allowed: 1
+    vulnerabilities_allowed: 1
     severity_levels:
       - critical
     vulnerability_states:
-      - newly_added
+      - newly_detected
 actions:
   - type: require_approval
     approvals_required: 1
@@ -232,9 +232,9 @@ export const mockScanResultObject = {
       type: 'scan_finding',
       branches: ['main'],
       scanners: ['container_scanning'],
-      vulnerability_allowed: 1,
+      vulnerabilities_allowed: 1,
       severity_levels: ['critical'],
-      vulnerability_states: ['newly_added'],
+      vulnerability_states: ['newly_detected'],
     },
   ],
   actions: [
-- 
GitLab


From 5c75faed769aa5bfafaa4e4b002c9edec12dd0bc Mon Sep 17 00:00:00 2001
From: Zamir Martins Filho <zfilho@gitlab.com>
Date: Tue, 8 Feb 2022 12:16:22 -0500
Subject: [PATCH 2/4] Address reviewer suggestions on better formating

the specs, refactoring by applying a ternary
operator and extracting duplucated CSS classes
into a constant.
---
 .../scan_result_policy/lib/from_yaml.js       |  4 +--
 .../scan_result_policy_editor.vue             | 15 ++++-------
 .../scan_result_policy_editor_spec.js         | 25 ++++++++++++++++++-
 3 files changed, 30 insertions(+), 14 deletions(-)

diff --git a/ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/lib/from_yaml.js b/ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/lib/from_yaml.js
index 6110d71890c482..c29681ddd3081e 100644
--- a/ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/lib/from_yaml.js
+++ b/ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/lib/from_yaml.js
@@ -46,7 +46,5 @@ const hasUnsupportedAttribute = (manifest) => {
 */
 export const fromYaml = (manifest) => {
   const policy = safeLoad(manifest, { json: true });
-  if (hasUnsupportedAttribute(policy)) return { error: true };
-
-  return policy;
+  return hasUnsupportedAttribute(policy) ? { error: true } : policy;
 };
diff --git a/ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/scan_result_policy_editor.vue b/ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/scan_result_policy_editor.vue
index 5d8865488433bb..008f252495d2de 100644
--- a/ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/scan_result_policy_editor.vue
+++ b/ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/scan_result_policy_editor.vue
@@ -24,6 +24,8 @@ import { DEFAULT_SCAN_RESULT_POLICY, fromYaml, toYaml } from './lib';
 export default {
   SECURITY_POLICY_ACTIONS,
   EDITOR_MODE_YAML,
+  SHARED_FOR_DISABLED:
+    'gl-bg-gray-10 gl-border-solid gl-border-1 gl-border-gray-100 gl-rounded-base',
   i18n: {
     PARSING_ERROR_MESSAGE,
     addRule: s__('SecurityOrchestration|Add rule'),
@@ -244,15 +246,10 @@ export default {
         </template>
 
         <template #disabled>
-          <div
-            class="gl-bg-gray-10 gl-border-solid gl-border-1 gl-border-gray-100 gl-rounded-base gl-p-6"
-          ></div>
+          <div :class="`${$options.SHARED_FOR_DISABLED} gl-p-6`"></div>
         </template>
 
-        <div
-          v-if="isWithinLimit"
-          class="gl-p-5 gl-rounded-base gl-border-1 gl-border-solid gl-border-gray-100 gl-mb-5 gl-bg-gray-10"
-        >
+        <div v-if="isWithinLimit" :class="`${$options.SHARED_FOR_DISABLED} gl-p-5 gl-mb-5`">
           <gl-button variant="link" data-testid="add-rule" icon="plus" disabled>
             {{ $options.i18n.addRule }}
           </gl-button>
@@ -265,9 +262,7 @@ export default {
         </template>
 
         <template #disabled>
-          <div
-            class="gl-bg-gray-10 gl-border-solid gl-border-1 gl-border-gray-100 gl-rounded-base gl-p-6"
-          ></div>
+          <div :class="`${$options.SHARED_FOR_DISABLED} gl-p-6`"></div>
         </template>
       </dim-disable-container>
     </template>
diff --git a/ee/spec/frontend/threat_monitoring/components/policy_editor/scan_result_policy/scan_result_policy_editor_spec.js b/ee/spec/frontend/threat_monitoring/components/policy_editor/scan_result_policy/scan_result_policy_editor_spec.js
index 75b5ae7acba84c..856ddc24987fed 100644
--- a/ee/spec/frontend/threat_monitoring/components/policy_editor/scan_result_policy/scan_result_policy_editor_spec.js
+++ b/ee/spec/frontend/threat_monitoring/components/policy_editor/scan_result_policy/scan_result_policy_editor_spec.js
@@ -95,34 +95,47 @@ describe('ScanResultPolicyEditor', () => {
 
   describe('default', () => {
     it('updates the policy yaml when "update-yaml" is emitted', async () => {
+      const newManifest = 'new yaml!';
       factory();
+
       await nextTick();
-      const newManifest = 'new yaml!';
+
       expect(findPolicyEditorLayout().attributes('yamleditorvalue')).toBe(
         DEFAULT_SCAN_RESULT_POLICY,
       );
+
       await findPolicyEditorLayout().vm.$emit('update-yaml', newManifest);
+
       expect(findPolicyEditorLayout().attributes('yamleditorvalue')).toBe(newManifest);
     });
 
     it('disables add rule button until feature is merged', async () => {
       factory();
+
       await nextTick();
+
       expect(findAddRuleButton().props('disabled')).toBe(true);
     });
 
     it('displays alert for invalid yaml', async () => {
       factory();
+
       await nextTick();
+
       expect(findAlert().exists()).toBe(false);
+
       await findPolicyEditorLayout().vm.$emit('update-yaml', 'invalid manifest');
+
       expect(findAlert().exists()).toBe(true);
     });
 
     it('disables all rule mode related components when the yaml is invalid', async () => {
       factory();
+
       await nextTick();
+
       await findPolicyEditorLayout().vm.$emit('update-yaml', 'invalid manifest');
+
       expect(findNameInput().attributes('disabled')).toBe('true');
       expect(findDescriptionTextArea().attributes('disabled')).toBe('true');
       expect(findEnableToggle().props('disabled')).toBe(true);
@@ -132,7 +145,9 @@ describe('ScanResultPolicyEditor', () => {
 
     it('defaults to YAML mode', async () => {
       factory();
+
       await nextTick();
+
       expect(findPolicyEditorLayout().attributes().defaulteditormode).toBe(EDITOR_MODE_YAML);
     });
 
@@ -144,16 +159,20 @@ describe('ScanResultPolicyEditor', () => {
     `('triggering a change on $currentComponent', ({ currentComponent, newValue, event }) => {
       it('updates YAML when switching modes', async () => {
         factory();
+
         await nextTick();
         await currentComponent().vm.$emit(event, newValue);
         await findPolicyEditorLayout().vm.$emit('update-editor-mode', EDITOR_MODE_YAML);
+
         expect(findPolicyEditorLayout().attributes('yamleditorvalue')).toMatch(newValue.toString());
       });
 
       it('updates the yaml preview', async () => {
         factory();
+
         await nextTick();
         await currentComponent().vm.$emit(event, newValue);
+
         expect(findYamlPreview().html()).toMatch(newValue.toString());
       });
     });
@@ -167,9 +186,13 @@ describe('ScanResultPolicyEditor', () => {
       'navigates to the new merge request when "modifyPolicy" is emitted $status',
       async ({ action, event, factoryFn, yamlEditorValue, currentlyAssignedPolicyProject }) => {
         factoryFn();
+
         await nextTick();
+
         findPolicyEditorLayout().vm.$emit(event);
+
         await waitForPromises();
+
         expect(modifyPolicy).toHaveBeenCalledWith({
           action,
           assignedPolicyProject: currentlyAssignedPolicyProject,
-- 
GitLab


From 168c20a04bf0e2d6898ce1dadea81db8779905ba Mon Sep 17 00:00:00 2001
From: Zamir Martins Filho <zfilho@gitlab.com>
Date: Wed, 9 Feb 2022 13:20:19 -0500
Subject: [PATCH 3/4] Address maintainer review

by cleaning specs by moving nexttick into
factory method and replacing Object.assign by
the spread operator.
---
 .../scan_result_policy_editor.vue             |  2 +-
 .../scan_result_policy_editor_spec.js         | 34 ++++++-------------
 2 files changed, 12 insertions(+), 24 deletions(-)

diff --git a/ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/scan_result_policy_editor.vue b/ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/scan_result_policy_editor.vue
index 008f252495d2de..b5eb31e20efe53 100644
--- a/ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/scan_result_policy_editor.vue
+++ b/ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/scan_result_policy_editor.vue
@@ -180,7 +180,7 @@ export default {
         if (newPolicy.error) {
           throw new Error(newPolicy.error);
         }
-        Object.assign(this.policy, newPolicy);
+        this.policy = { ...this.policy, ...newPolicy };
       } catch (error) {
         this.yamlEditorError = error;
       }
diff --git a/ee/spec/frontend/threat_monitoring/components/policy_editor/scan_result_policy/scan_result_policy_editor_spec.js b/ee/spec/frontend/threat_monitoring/components/policy_editor/scan_result_policy/scan_result_policy_editor_spec.js
index 856ddc24987fed..eb000a656b3184 100644
--- a/ee/spec/frontend/threat_monitoring/components/policy_editor/scan_result_policy/scan_result_policy_editor_spec.js
+++ b/ee/spec/frontend/threat_monitoring/components/policy_editor/scan_result_policy/scan_result_policy_editor_spec.js
@@ -67,6 +67,7 @@ describe('ScanResultPolicyEditor', () => {
         ...provide,
       },
     });
+    nextTick();
   };
 
   const factoryWithExistingPolicy = () => {
@@ -96,9 +97,7 @@ describe('ScanResultPolicyEditor', () => {
   describe('default', () => {
     it('updates the policy yaml when "update-yaml" is emitted', async () => {
       const newManifest = 'new yaml!';
-      factory();
-
-      await nextTick();
+      await factory();
 
       expect(findPolicyEditorLayout().attributes('yamleditorvalue')).toBe(
         DEFAULT_SCAN_RESULT_POLICY,
@@ -110,17 +109,13 @@ describe('ScanResultPolicyEditor', () => {
     });
 
     it('disables add rule button until feature is merged', async () => {
-      factory();
-
-      await nextTick();
+      await factory();
 
       expect(findAddRuleButton().props('disabled')).toBe(true);
     });
 
     it('displays alert for invalid yaml', async () => {
-      factory();
-
-      await nextTick();
+      await factory();
 
       expect(findAlert().exists()).toBe(false);
 
@@ -130,9 +125,7 @@ describe('ScanResultPolicyEditor', () => {
     });
 
     it('disables all rule mode related components when the yaml is invalid', async () => {
-      factory();
-
-      await nextTick();
+      await factory();
 
       await findPolicyEditorLayout().vm.$emit('update-yaml', 'invalid manifest');
 
@@ -144,9 +137,7 @@ describe('ScanResultPolicyEditor', () => {
     });
 
     it('defaults to YAML mode', async () => {
-      factory();
-
-      await nextTick();
+      await factory();
 
       expect(findPolicyEditorLayout().attributes().defaulteditormode).toBe(EDITOR_MODE_YAML);
     });
@@ -158,9 +149,8 @@ describe('ScanResultPolicyEditor', () => {
       ${findEnableToggle}        | ${true}                     | ${'change'}
     `('triggering a change on $currentComponent', ({ currentComponent, newValue, event }) => {
       it('updates YAML when switching modes', async () => {
-        factory();
+        await factory();
 
-        await nextTick();
         await currentComponent().vm.$emit(event, newValue);
         await findPolicyEditorLayout().vm.$emit('update-editor-mode', EDITOR_MODE_YAML);
 
@@ -168,9 +158,8 @@ describe('ScanResultPolicyEditor', () => {
       });
 
       it('updates the yaml preview', async () => {
-        factory();
+        await factory();
 
-        await nextTick();
         await currentComponent().vm.$emit(event, newValue);
 
         expect(findYamlPreview().html()).toMatch(newValue.toString());
@@ -185,9 +174,7 @@ describe('ScanResultPolicyEditor', () => {
     `(
       'navigates to the new merge request when "modifyPolicy" is emitted $status',
       async ({ action, event, factoryFn, yamlEditorValue, currentlyAssignedPolicyProject }) => {
-        factoryFn();
-
-        await nextTick();
+        await factoryFn();
 
         findPolicyEditorLayout().vm.$emit(event);
 
@@ -212,7 +199,8 @@ describe('ScanResultPolicyEditor', () => {
 
   describe('when a user is not an owner of the project', () => {
     it('displays the empty state with the appropriate properties', async () => {
-      factory({ provide: { disableScanPolicyUpdate: true } });
+      await factory({ provide: { disableScanPolicyUpdate: true } });
+
       const emptyState = findEmptyState();
 
       expect(emptyState.props('primaryButtonLink')).toMatch(scanPolicyDocumentationPath);
-- 
GitLab


From 6a45110c07f668abaee2b2b3067302fe19637c84 Mon Sep 17 00:00:00 2001
From: Zamir Martins <zfilho@gitlab.com>
Date: Wed, 16 Feb 2022 16:58:21 +0000
Subject: [PATCH 4/4] Add policy action builder into scan result policy

page. There is another MR in parallel to this one
dealing with policy rules. This is applicable to
both new and existing policies.

EE: true
---
 .../scan_result_policy/lib/actions.js         |  52 ++++++
 .../policy_action_builder.vue                 | 124 +++++++++++++++
 .../scan_result_policy_editor.vue             |  14 ++
 .../scan_result_policy/lib/actions_spec.js    | 148 ++++++++++++++++++
 .../policy_action_builder_spec.js             |  97 ++++++++++++
 .../scan_result_policy_editor_spec.js         |  28 +++-
 locale/gitlab.pot                             |   6 +
 7 files changed, 468 insertions(+), 1 deletion(-)
 create mode 100644 ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/lib/actions.js
 create mode 100644 ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/policy_action_builder.vue
 create mode 100644 ee/spec/frontend/threat_monitoring/components/policy_editor/scan_result_policy/lib/actions_spec.js
 create mode 100644 ee/spec/frontend/threat_monitoring/components/policy_editor/scan_result_policy/policy_action_builder_spec.js

diff --git a/ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/lib/actions.js b/ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/lib/actions.js
new file mode 100644
index 00000000000000..30f610bdcb66fe
--- /dev/null
+++ b/ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/lib/actions.js
@@ -0,0 +1,52 @@
+export const USER_TYPE = 'user';
+const GROUP_TYPE = 'group';
+
+/*
+  Return the ids for all approvers of the group type.
+*/
+export function groupIds(approvers) {
+  return approvers
+    .filter((approver) => approver.type === GROUP_TYPE)
+    .map((approver) => approver.id);
+}
+
+/*
+  Return the ids for all approvers of the user type.
+*/
+export function userIds(approvers) {
+  return approvers.filter((approver) => approver.type === USER_TYPE).map((approver) => approver.id);
+}
+
+/*
+  Group existing approvers into a single array.
+*/
+export function groupApprovers(existingApprovers) {
+  const approvers = [...existingApprovers];
+  const userUniqKeys = ['state', 'username'];
+  const groupUniqKeys = ['full_name', 'full_path'];
+
+  return approvers.map((approver) => {
+    const approverKeys = Object.keys(approver);
+
+    if (approverKeys.includes(...groupUniqKeys)) {
+      return { ...approver, type: GROUP_TYPE };
+    } else if (approverKeys.includes(...userUniqKeys)) {
+      return { ...approver, type: USER_TYPE };
+    }
+    return approver;
+  });
+}
+
+/*
+  Convert approvers into yaml fields (user_approvers, users_approvers_ids) in relation to action.
+*/
+export function decomposeApprovers(action, approvers) {
+  const newAction = { ...action };
+  delete newAction.group_approvers;
+  delete newAction.user_approvers;
+  return {
+    ...newAction,
+    user_approvers_ids: userIds(approvers),
+    group_approvers_ids: groupIds(approvers),
+  };
+}
diff --git a/ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/policy_action_builder.vue b/ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/policy_action_builder.vue
new file mode 100644
index 00000000000000..c1fd280427af1f
--- /dev/null
+++ b/ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/policy_action_builder.vue
@@ -0,0 +1,124 @@
+<script>
+import {
+  GlSprintf,
+  GlForm,
+  GlFormInput,
+  GlModalDirective,
+  GlToken,
+  GlAvatarLabeled,
+} from '@gitlab/ui';
+import { s__ } from '~/locale';
+import { AVATAR_SHAPE_OPTION_CIRCLE, AVATAR_SHAPE_OPTION_RECT } from '~/vue_shared/constants';
+import { groupApprovers, decomposeApprovers, USER_TYPE } from './lib/actions';
+
+export default {
+  components: {
+    GlSprintf,
+    GlForm,
+    GlFormInput,
+    GlToken,
+    GlAvatarLabeled,
+  },
+  directives: {
+    GlModalDirective,
+  },
+  inject: ['projectId'],
+  props: {
+    initAction: {
+      type: Object,
+      required: true,
+    },
+    existingApprovers: {
+      type: Array,
+      required: true,
+    },
+  },
+  data() {
+    return {
+      action: { ...this.initAction },
+      approvers: groupApprovers(this.existingApprovers),
+    };
+  },
+  watch: {
+    approvers(values) {
+      this.action = decomposeApprovers(this.action, values);
+    },
+    action: {
+      handler(values) {
+        this.$emit('changed', values);
+      },
+      deep: true,
+    },
+  },
+  methods: {
+    approvalsRequiredChanged(value) {
+      this.action.approvals_required = parseInt(value, 10);
+    },
+    removeApprover(removedApprover) {
+      this.approvers = this.approvers.filter(
+        (approver) => approver.type !== removedApprover.type || approver.id !== removedApprover.id,
+      );
+    },
+    avatarShape(approver) {
+      return this.isUser(approver) ? AVATAR_SHAPE_OPTION_CIRCLE : AVATAR_SHAPE_OPTION_RECT;
+    },
+    approverName(approver) {
+      return this.isUser(approver) ? approver.name : approver.full_path;
+    },
+    isUser(approver) {
+      return approver.type === USER_TYPE;
+    },
+  },
+  i18n: {
+    addAnApprover: s__('ScanResultPolicy|add an approver'),
+  },
+  humanizedTemplate: s__(
+    'ScanResultPolicy|%{thenLabelStart}Then%{thenLabelEnd} Require approval from %{approvalsRequired} of the following approvers: %{approvers}',
+  ),
+};
+</script>
+
+<template>
+  <div
+    class="gl-bg-gray-10 gl-border-solid gl-border-1 gl-border-gray-100 gl-rounded-base gl-px-5! gl-pt-5! gl-relative gl-pb-4"
+  >
+    <gl-form inline @submit.prevent>
+      <gl-sprintf :message="$options.humanizedTemplate">
+        <template #thenLabel="{ content }">
+          <label for="approvalRequired" class="text-uppercase gl-font-lg gl-mr-3">{{
+            content
+          }}</label>
+        </template>
+
+        <template #approvalsRequired>
+          <gl-form-input
+            :value="action.approvals_required"
+            type="number"
+            class="gl-w-11! gl-m-3"
+            :min="1"
+            data-testid="approvals-required-input"
+            @input="approvalsRequiredChanged"
+          />
+        </template>
+
+        <template #approvers>
+          <gl-token
+            v-for="approver in approvers"
+            :key="approver.type + approver.id"
+            class="gl-ml-3"
+            @close="removeApprover(approver)"
+          >
+            <gl-avatar-labeled
+              :src="approver.avatar_url"
+              :size="24"
+              :shape="avatarShape(approver)"
+              :label="approverName(approver)"
+              :entity-name="approver.name"
+              :alt="approver.name"
+            />
+          </gl-token>
+        </template>
+      </gl-sprintf>
+    </gl-form>
+  </div>
+</template>
diff --git a/ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/scan_result_policy_editor.vue b/ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/scan_result_policy_editor.vue
index b5eb31e20efe53..f11806712d019b 100644
--- a/ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/scan_result_policy_editor.vue
+++ b/ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/scan_result_policy_editor.vue
@@ -19,6 +19,7 @@ import {
 import PolicyEditorLayout from '../policy_editor_layout.vue';
 import { assignSecurityPolicyProject, modifyPolicy } from '../utils';
 import DimDisableContainer from '../dim_disable_container.vue';
+import PolicyActionBuilder from './policy_action_builder.vue';
 import { DEFAULT_SCAN_RESULT_POLICY, fromYaml, toYaml } from './lib';
 
 export default {
@@ -49,6 +50,7 @@ export default {
     GlFormInput,
     GlFormTextarea,
     GlAlert,
+    PolicyActionBuilder,
     PolicyEditorLayout,
     DimDisableContainer,
   },
@@ -116,6 +118,9 @@ export default {
     },
   },
   methods: {
+    updateAction(actionIndex, values) {
+      this.policy.actions.splice(actionIndex, 1, values);
+    },
     handleError(error) {
       if (error.message.toLowerCase().includes('graphql')) {
         this.$emit('error', GRAPHQL_ERROR_MESSAGE);
@@ -264,6 +269,15 @@ export default {
         <template #disabled>
           <div :class="`${$options.SHARED_FOR_DISABLED} gl-p-6`"></div>
         </template>
+
+        <policy-action-builder
+          v-for="(action, index) in policy.actions"
+          :key="index"
+          class="gl-mb-4"
+          :init-action="action"
+          :existing-approvers="scanResultPolicyApprovers"
+          @changed="updateAction(index, $event)"
+        />
       </dim-disable-container>
     </template>
 
diff --git a/ee/spec/frontend/threat_monitoring/components/policy_editor/scan_result_policy/lib/actions_spec.js b/ee/spec/frontend/threat_monitoring/components/policy_editor/scan_result_policy/lib/actions_spec.js
new file mode 100644
index 00000000000000..26729159fce146
--- /dev/null
+++ b/ee/spec/frontend/threat_monitoring/components/policy_editor/scan_result_policy/lib/actions_spec.js
@@ -0,0 +1,148 @@
+import {
+  groupIds,
+  userIds,
+  groupApprovers,
+  decomposeApprovers,
+} from 'ee/threat_monitoring/components/policy_editor/scan_result_policy/lib/actions';
+
+// As returned by endpoints based on API::Entities::UserBasic
+const userApprover = {
+  id: 1,
+  name: null,
+  state: null,
+  username: null,
+  avatar_url: null,
+  web_url: null,
+};
+
+// As returned by endpoints based on API::Entities::PublicGroupDetails
+const groupApprover = {
+  id: 2,
+  name: null,
+  full_name: null,
+  full_path: null,
+  avatar_url: null,
+  web_url: null,
+};
+
+const unknownApprover = { id: 3, name: null };
+
+const allApprovers = [userApprover, groupApprover];
+
+const groupedApprovers = groupApprovers(allApprovers);
+
+describe('groupApprovers', () => {
+  describe('with mixed approvers', () => {
+    it('returns a copy of the input values with their proper type attribute', () => {
+      expect(groupApprovers(allApprovers)).toStrictEqual([
+        {
+          avatar_url: null,
+          id: userApprover.id,
+          name: null,
+          state: null,
+          type: 'user',
+          username: null,
+          web_url: null,
+        },
+        {
+          avatar_url: null,
+          full_name: null,
+          full_path: null,
+          id: groupApprover.id,
+          name: null,
+          type: 'group',
+          web_url: null,
+        },
+      ]);
+    });
+
+    it('sets types depending on whether the approver is a group or a user', () => {
+      const approvers = groupApprovers(allApprovers);
+      expect(approvers.find((approver) => approver.id === userApprover.id)).toEqual(
+        expect.objectContaining({ type: 'user' }),
+      );
+      expect(approvers.find((approver) => approver.id === groupApprover.id)).toEqual(
+        expect.objectContaining({ type: 'group' }),
+      );
+    });
+  });
+
+  it('sets group as a type for group related approvers', () => {
+    expect(groupApprovers([groupApprover])).toStrictEqual([
+      {
+        avatar_url: null,
+        full_name: null,
+        full_path: null,
+        id: groupApprover.id,
+        name: null,
+        type: 'group',
+        web_url: null,
+      },
+    ]);
+  });
+
+  it('sets user as a type for user related approvers', () => {
+    expect(groupApprovers([userApprover])).toStrictEqual([
+      {
+        avatar_url: null,
+        id: userApprover.id,
+        name: null,
+        state: null,
+        type: 'user',
+        username: null,
+        web_url: null,
+      },
+    ]);
+  });
+
+  it('does not set a type if neither group or user keys are present', () => {
+    expect(groupApprovers([unknownApprover])).toStrictEqual([
+      { id: unknownApprover.id, name: null },
+    ]);
+  });
+});
+
+describe('decomposeApprovers', () => {
+  it('returns a copy of approvers adding id fields for both group and users', () => {
+    expect(decomposeApprovers({}, groupedApprovers)).toStrictEqual({
+      group_approvers_ids: [groupApprover.id],
+      user_approvers_ids: [userApprover.id],
+    });
+  });
+
+  it('removes group_approvers and user_approvers keys only keeping the id fields', () => {
+    expect(
+      decomposeApprovers({ user_approvers: null, group_approvers: null }, groupedApprovers),
+    ).toStrictEqual({
+      group_approvers_ids: [groupApprover.id],
+      user_approvers_ids: [userApprover.id],
+    });
+  });
+
+  it('preserves any other keys in addition to the id fields', () => {
+    expect(decomposeApprovers({ existingKey: null }, groupedApprovers)).toStrictEqual({
+      group_approvers_ids: [groupApprover.id],
+      user_approvers_ids: [userApprover.id],
+      existingKey: null,
+    });
+  });
+
+  it('returns empty id fields if there is only unknown types', () => {
+    expect(decomposeApprovers({}, [unknownApprover])).toStrictEqual({
+      group_approvers_ids: [],
+      user_approvers_ids: [],
+    });
+  });
+});
+
+describe('userIds', () => {
+  it('returns only approver with type set to user', () => {
+    expect(userIds(groupedApprovers)).toStrictEqual([userApprover.id]);
+  });
+});
+
+describe('groupIds', () => {
+  it('returns only approver with type set to group', () => {
+    expect(groupIds(groupedApprovers)).toStrictEqual([groupApprover.id]);
+  });
+});
diff --git a/ee/spec/frontend/threat_monitoring/components/policy_editor/scan_result_policy/policy_action_builder_spec.js b/ee/spec/frontend/threat_monitoring/components/policy_editor/scan_result_policy/policy_action_builder_spec.js
new file mode 100644
index 00000000000000..7ea45de359046b
--- /dev/null
+++ b/ee/spec/frontend/threat_monitoring/components/policy_editor/scan_result_policy/policy_action_builder_spec.js
@@ -0,0 +1,97 @@
+import { GlFormInput, GlToken } from '@gitlab/ui';
+import { mount } from '@vue/test-utils';
+import { nextTick } from 'vue';
+import PolicyActionBuilder from 'ee/threat_monitoring/components/policy_editor/scan_result_policy/policy_action_builder.vue';
+
+const APPROVER_1 = {
+  id: 1,
+  name: 'name',
+  state: 'active',
+  username: 'username',
+  web_url: '',
+  avatar_url: '',
+};
+
+const APPROVER_2 = {
+  id: 2,
+  name: 'name2',
+  state: 'active',
+  username: 'username2',
+  web_url: '',
+  avatar_url: '',
+};
+
+const APPROVERS = [APPROVER_1, APPROVER_2];
+
+const APPROVERS_IDS = APPROVERS.map((approver) => approver.id);
+
+const ACTION = {
+  approvals_required: 1,
+  user_approvers_ids: APPROVERS_IDS,
+};
+
+describe('PolicyActionBuilder', () => {
+  let wrapper;
+
+  const factory = (propsData = {}) => {
+    wrapper = mount(PolicyActionBuilder, {
+      propsData: {
+        initAction: ACTION,
+        existingApprovers: APPROVERS,
+        ...propsData,
+      },
+      provide: {
+        projectId: '1',
+      },
+    });
+  };
+
+  const findApprovalsRequiredInput = () => wrapper.findComponent(GlFormInput);
+  const findAllGlTokens = () => wrapper.findAllComponents(GlToken);
+
+  it('renders approvals required form input, gl-tokens', async () => {
+    factory();
+    await nextTick();
+
+    expect(findApprovalsRequiredInput().exists()).toBe(true);
+    expect(findAllGlTokens().length).toBe(APPROVERS.length);
+  });
+
+  it('triggers an update when changing approvals required', async () => {
+    factory();
+    await nextTick();
+
+    const approvalRequestPlusOne = ACTION.approvals_required + 1;
+    const formInput = findApprovalsRequiredInput();
+
+    await formInput.vm.$emit('input', approvalRequestPlusOne);
+
+    expect(wrapper.emitted().changed).toEqual([
+      [{ approvals_required: approvalRequestPlusOne, user_approvers_ids: APPROVERS_IDS }],
+    ]);
+  });
+
+  it('removes one approver when triggering a gl-token', async () => {
+    factory();
+    await nextTick();
+
+    const allGlTokens = findAllGlTokens();
+    const glToken = allGlTokens.at(0);
+    const approversLengthMinusOne = APPROVERS.length - 1;
+
+    expect(allGlTokens.length).toBe(APPROVERS.length);
+
+    await glToken.vm.$emit('close', { ...APPROVER_1, type: 'user' });
+
+    expect(wrapper.emitted().changed).toEqual([
+      [
+        {
+          approvals_required: ACTION.approvals_required,
+          user_approvers_ids: [APPROVER_2.id],
+          group_approvers_ids: [],
+        },
+      ],
+    ]);
+    expect(findAllGlTokens()).toHaveLength(approversLengthMinusOne);
+  });
+});
diff --git a/ee/spec/frontend/threat_monitoring/components/policy_editor/scan_result_policy/scan_result_policy_editor_spec.js b/ee/spec/frontend/threat_monitoring/components/policy_editor/scan_result_policy/scan_result_policy_editor_spec.js
index eb000a656b3184..610f99bfc81f49 100644
--- a/ee/spec/frontend/threat_monitoring/components/policy_editor/scan_result_policy/scan_result_policy_editor_spec.js
+++ b/ee/spec/frontend/threat_monitoring/components/policy_editor/scan_result_policy/scan_result_policy_editor_spec.js
@@ -21,6 +21,7 @@ import {
   EDITOR_MODE_YAML,
 } from 'ee/threat_monitoring/components/policy_editor/constants';
 import DimDisableContainer from 'ee/threat_monitoring/components/policy_editor/dim_disable_container.vue';
+import PolicyActionBuilder from 'ee/threat_monitoring/components/policy_editor/scan_result_policy/policy_action_builder.vue';
 
 jest.mock('~/lib/utils/url_utility', () => ({
   joinPaths: jest.requireActual('~/lib/utils/url_utility').joinPaths,
@@ -49,7 +50,7 @@ describe('ScanResultPolicyEditor', () => {
     branch: 'main',
     fullPath: 'path/to/existing-project',
   };
-  const scanResultPolicyApprovers = [];
+  const scanResultPolicyApprovers = [{ id: 1, username: 'username', state: 'active' }];
 
   const factory = ({ propsData = {}, provide = {} } = {}) => {
     wrapper = shallowMount(ScanResultPolicyEditor, {
@@ -82,6 +83,8 @@ describe('ScanResultPolicyEditor', () => {
 
   const findEmptyState = () => wrapper.findComponent(GlEmptyState);
   const findPolicyEditorLayout = () => wrapper.findComponent(PolicyEditorLayout);
+  const findPolicyActionBuilder = () => wrapper.findComponent(PolicyActionBuilder);
+  const findAllPolicyActionBuilders = () => wrapper.findAllComponents(PolicyActionBuilder);
   const findAddRuleButton = () => wrapper.find('[data-testid="add-rule"]');
   const findAlert = () => wrapper.findComponent(GlAlert);
   const findNameInput = () => wrapper.findComponent(GlFormInput);
@@ -208,4 +211,27 @@ describe('ScanResultPolicyEditor', () => {
       expect(emptyState.props('svgPath')).toBe(policyEditorEmptyStateSvgPath);
     });
   });
+
+  describe('with policy action builder', () => {
+    it('renders a single policy action builder', async () => {
+      factory();
+
+      await nextTick();
+
+      expect(findAllPolicyActionBuilders()).toHaveLength(1);
+      expect(findPolicyActionBuilder().props('existingApprovers')).toEqual(
+        scanResultPolicyApprovers,
+      );
+    });
+
+    it('updates policy action when edited', async () => {
+      const UPDATED_ACTION = { type: 'required_approval', group_approvers_ids: [1] };
+      factory();
+
+      await nextTick();
+      await findPolicyActionBuilder().vm.$emit('changed', UPDATED_ACTION);
+
+      expect(findPolicyActionBuilder().props('initAction')).toEqual(UPDATED_ACTION);
+    });
+  });
 });
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 44d04b63afced2..23ffb2c1bdd399 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -31699,6 +31699,12 @@ msgstr ""
 msgid "Saving project."
 msgstr ""
 
+msgid "ScanResultPolicy|%{thenLabelStart}Then%{thenLabelEnd} Require approval from %{approvalsRequired} of the following approvers: %{approvers}"
+msgstr ""
+
+msgid "ScanResultPolicy|add an approver"
+msgstr ""
+
 msgid "Scanner"
 msgstr ""
 
-- 
GitLab