Skip to content

Check scan_types from scan result policy only for scan removal check

Sashi Kumar Kumaresan requested to merge sk/415096-fix-scan-type-check into master

What does this MR do and why?

Addresses #415096 (closed)

This MR fixes a bug with scan result policy in which if a security scanner is removed or the scan job failed, and if the scan type is not in the list of scanners in scan result policy, the approval should not be enforced.

Steps to reproduce

  1. Create a scan result policy that requires a SAST result (e.g. require approval if any vulnerabilities are found for SAST).
  2. In the target development project, ensure SAST successfully runs, but also add a new scanner that is not included in the policy (such as Container Scanning).
  3. Ensure the SAST scanner succeeds but the Container Scanning (or other) scanner fails.
  4. Observe that approval is required despite the fact that only SAST results are required to evaluate the policy to then determine if approvals are required.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Sashi Kumar Kumaresan

Merge request reports

Loading