Skip to content

Synchronize scan result policy approval rules on default branch change

What does this MR do and why?

We are adding branch_type support to security policies (&9468 (closed)).

We need to synchronize approval rules on default branch changes to honor the default value.

How to set up and validate locally

  • Create a new project

  • Enable the feature flag for the project:

    Feature.enable(:security_policies_branch_type, Project.last)
  • Navigate to Repository > Branches and create the develop branch

  • Navigate to Secure > Policies and create the following scan result policy:

    type: scan_result_policy
    name: Container Scanning
    enabled: true
    rules:
      - type: scan_finding
        branch_type: default
        scanners:
          - container_scanning
        vulnerabilities_allowed: 0
        severity_levels: []
        vulnerability_states: []
    actions:
      - type: require_approval
        approvals_required: 1
        user_approvers_ids:
          - 1
  • Open a new MR targeting the main branch

  • Verify that the MR requires Container Scanning approval

  • Open a new MR targeting the develop branch

  • Verify that the MR does not require approval

  • Navigate to Settings > Repository and in the Protected branches section, protect the develop branch

  • Navigate to Settings > Repository and in the Branch defaults section, change the default branch to develop

  • Verify that MR to develop requires approval and MR to main does not any more

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #406587 (closed)

Edited by Dominic Bauer

Merge request reports

Loading