Skip to content

Allow merge when rules are invalid for security policy project

What does this MR do and why?

This MR changes the behavior of for invalid security policy rules and allows merge of invalid security policy rules if the project is a security policy project.

Screenshots or screen recordings

Before

image

After:

Security policy projects get auto-approved: image

Normal projects still fail-close: CleanShot_2023-05-10_at_10.17.02_2x

How to set up and validate locally

  1. Create a group
  2. Create a group scan result policy, for example requiring SAST scanners, which is invalid - require more approvals than eligible approvers and merge it
  3. Make sure to invite the user whose approval is required directly into the group
  4. Edit the policy, fix the number of required approvals
  5. The MR for the security policy project should not be blocked due to invalid rule and it should be auto-approved.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #410456 (closed)

Edited by Martin Čavoj

Merge request reports

Loading