Skip to content

Scan result policy approval setting overrides

What does this MR do and why?

Last MR for #418752 (closed), where we are adding support for the approval_settings scan result policy setting.

approval_settings contains attributes that override a project's merge request approval setting, on policy violation.

How to set up and validate locally

Validating prevent_approval_by_author

  • Create a new project and toggle the feature flag:

    Feature.enable(:scan_result_any_merge_request, Project.find(ID))
  • Navigate to Settings > Merge requests, and under the Approval settings section:

    • disable the Prevent approval by author option
    • select the Keep approvals checkbox
    • save changes
  • Navigate to Secure > Policies and create the following scan result policy:

    type: scan_result_policy
    name: Container Scanning
    enabled: true
    rules:
      - type: scan_finding
        scanners:
          - container_scanning
        vulnerabilities_allowed: 0
        severity_levels: []
        vulnerability_states: []
        branch_type: protected
    actions:
      - type: require_approval
        approvals_required: 1
        user_approvers:
          - root
          - <other user>
    approval_settings:
      prevent_approval_by_author: true
      prevent_approval_by_commit_author: false
      remove_approvals_with_new_commit: false
      require_password_to_approve: true
    • Commit the following .gitlab-ci.yml to the default branch:

      include:
        - template: Security/Container-Scanning.gitlab-ci.yml
      
      container_scanning:
        variables:
          CS_IMAGE: "nginx"
  • Update gitlab-ci.yml and create an MR:

    -CS_IMAGE: "nginx"
    +CS_IMAGE: "nginx:1"
  • Verify you cannot approve the MR. Edit the policy and set enabled: false. Verify you can approve the MR.

Action-less policies

  • Remove the approval_settings from the existing policy:

    type: scan_result_policy
    name: Container Scanning
    enabled: true
    rules:
      - type: scan_finding
        scanners:
          - container_scanning
        vulnerabilities_allowed: 0
        severity_levels: []
        vulnerability_states: []
        branch_type: protected
    actions:
      - type: require_approval
        approvals_required: 1
        user_approvers:
          - root
          - <other user>
  • Verify that you can approve the MR.

  • Create the following action-less scan result policy:

    type: scan_result_policy
    name: Enforced Approval Settings
    enabled: true
    rules:
      - type: any_merge_request
        branch_type: protected
        commits: unsigned
    approval_settings:
      prevent_approval_by_author: true
      prevent_approval_by_commit_author: true
      remove_approvals_with_new_commit: true
      require_password_to_approve: true
  • Verify that you can no longer approve the MR.

Validating prevent_approval_by_commit_author

  • Add another user with Developer+ role to the project/policy and impersonate them
  • Open a MR
  • Add another commit by another user to the MR
  • Verify the rule has been auto-approved (if the project only has 2 members), or that neither of both users can approve the MR (if the project has > 2 members).

Validating remove_approvals_with_new_commit

  • Open a MR
  • Add another user with Developer+ role to the project/policy and impersonate them
  • Approve the MR
  • Push another commit
  • Verify approvals have reset

Validating require_password_to_approve

  • Attempt to approve any MR with the policy in place

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #418752 (closed)

Edited by Dominic Bauer

Merge request reports

Loading