Skip to content

Handle optional approvals in policy bot comment

What does this MR do and why?

This MR updates the policy bot comment behavior so that it takes optional approvals into account. A policy may be defined requiring 0 approvals from the approvers and in this case, the wording of the comment was off.

We've decided to handle it this way (#420948 (comment 1506783534)) because the whole feature is still considered MVC and may be subject to significant change, so we decided to not track the comments' metadata via database yet.

Screenshots or screen recordings

With required approvals With optional approvals Hidden comment
image image CleanShot_2023-09-21_at_12.19.15_2x

How to set up and validate locally

  1. Create a project
  2. Go to Secure -> Policies and create a policy in that project, setting approvals_required to 0. Sample YAML:
     type: scan_result_policy
     name: Secrets
     description: ''
     enabled: true
     rules:
       - type: scan_finding
         branches: []
         scanners:
           - secret_detection
         vulnerabilities_allowed: 0
         severity_levels: []
         vulnerability_states: []
     actions:
       - type: require_approval
         approvals_required: 0
         user_approvers_ids:
           - 4
  3. Create MR with a policy violation
    • Add CI configuration with secret detection template. .gitlab-ci.yml:
    include:
      - template: Jobs/Secret-Detection.gitlab-ci.yml
    test-job:
      script:
      - echo "Test Job..."
    • Add .env file in MR with a leaked secret:
    AWS_TOKEN="AKIAZYONPI3G4JNCCWGX"
  4. Observe the created comment, it should state "optional reviewers" and have optional_approvals: scan_finding in the hidden comment

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #420948 (closed)

Edited by Martin Čavoj

Merge request reports

Loading