Reset required approvals for violated rules (!130517) · Merge requests · GitLab.org / GitLab

Martin Čavoj requested to merge 423495-scan-result-policy-mr-approval-are-not-enforced-when-a-security-job-is-re-run-manually into master Aug 30, 2023

What does this MR do and why?

This MR fixes a bug when approvals are not required if a re-run of pipeline produces reports with new security findings.

The approvals_required for a merge request are currently reset on push in https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/services/ee/merge_requests/refresh_service.rb#L18. If a first pipeline run doesn't find any violations, it removes required approvals from the merge request approval rules. If another pipeline is run, it might find new findings which may require approvals with policies using "previously existing" vulnerabilities. Currently, this second run doesn't add the required approvals, as no new code was pushed.

How to set up and validate locally

Follow the steps from the issue: #423495 (closed)

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Related to #423495 (closed)

Edited Aug 30, 2023 by Martin Čavoj

Reset required approvals for violated rules

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports