Security Policy: Any fallback_behavior should automatically include a bot message
Release notes
Problem to solve
Currently, Security Bot messages are sent "when the conditions match" that allow to mark a policy as passed or failed.
However, when the fallback_behavior
is triggered, no message help to disambiguate that fact.
Proposals
- A fallback bot message, with for example a wording like:
OR
Policy skipped:
The policy enforced on your project is configured to fail open. Confirm that scanners are properly configured and producing results. Vulnerability detection depends on successful execution of security scan jobs in the target and/or source branches.
Comparison branches:
- ABCD
- EFGH
Ensure that the message accounts not only for configuration issues but other known cases where policies are skipped due to the fallback behavior.
-
Additionally, introduce a newNot necessary based on #474853 (comment 2152238905). UI will be tackled in another issue.fallback_behavior
forwarn
. This would trigger bot comments to detect violations based on the policy rule, but instead of blocking with an approval rule, it would only trigger the bot comment.
Intended users
Feature Usage Metrics
Higher cycle time for MRs that include this fallback bot message.
No
Does this feature require an audit event? Edited by Martin Čavoj