Scan result policy approval setting overrides
What does this MR do and why?
Last MR for #418752 (closed), where we are adding support for the approval_settings
scan result policy setting.
approval_settings
contains attributes that override a project's merge request approval setting, on policy violation.
How to set up and validate locally
prevent_approval_by_author
Validating -
Create a new project and toggle the feature flag:
Feature.enable(:scan_result_any_merge_request, Project.find(ID))
-
Navigate to
Settings > Merge requests
, and under theApproval settings
section:- disable the
Prevent approval by author
option - select the
Keep approvals
checkbox - save changes
- disable the
-
Navigate to
Secure > Policies
and create the following scan result policy:type: scan_result_policy name: Container Scanning enabled: true rules: - type: scan_finding scanners: - container_scanning vulnerabilities_allowed: 0 severity_levels: [] vulnerability_states: [] branch_type: protected actions: - type: require_approval approvals_required: 1 user_approvers: - root - <other user> approval_settings: prevent_approval_by_author: true prevent_approval_by_commit_author: false remove_approvals_with_new_commit: false require_password_to_approve: true
-
Commit the following
.gitlab-ci.yml
to the default branch:include: - template: Security/Container-Scanning.gitlab-ci.yml container_scanning: variables: CS_IMAGE: "nginx"
-
-
Update
gitlab-ci.yml
and create an MR:-CS_IMAGE: "nginx" +CS_IMAGE: "nginx:1"
-
Verify you cannot approve the MR. Edit the policy and set
enabled: false
. Verify you can approve the MR.
Action-less policies
-
Remove the
approval_settings
from the existing policy:type: scan_result_policy name: Container Scanning enabled: true rules: - type: scan_finding scanners: - container_scanning vulnerabilities_allowed: 0 severity_levels: [] vulnerability_states: [] branch_type: protected actions: - type: require_approval approvals_required: 1 user_approvers: - root - <other user>
-
Verify that you can approve the MR.
-
Create the following action-less scan result policy:
type: scan_result_policy name: Enforced Approval Settings enabled: true rules: - type: any_merge_request branch_type: protected commits: unsigned approval_settings: prevent_approval_by_author: true prevent_approval_by_commit_author: true remove_approvals_with_new_commit: true require_password_to_approve: true
-
Verify that you can no longer approve the MR.
prevent_approval_by_commit_author
Validating - Add another user with Developer+ role to the project/policy and impersonate them
- Open a MR
- Add another commit by another user to the MR
- Verify the rule has been auto-approved (if the project only has 2 members), or that neither of both users can approve the MR (if the project has > 2 members).
remove_approvals_with_new_commit
Validating - Open a MR
- Add another user with Developer+ role to the project/policy and impersonate them
- Approve the MR
- Push another commit
- Verify approvals have reset
require_password_to_approve
Validating - Attempt to approve any MR with the policy in place
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #418752 (closed)