Add scan result policy access check
What does this MR do and why?
This MR disables force-pushes to projects affected by at least one active scan result policy. The presence of a policy also overrides the "Allowed to force push" option of protected branches.
How to set up and validate locally
-
Create a new project and toggle the feature flag:
Feature.enable(:scan_result_policies_block_force_push, Project.last)
-
Clone the repository locally, amend the initial commit, and verify you can force-push the amended commit
-
Navigate to
Settings > Repository
, expand theProtected branches
section and enable theAllowed to force push
toggle for the default branch -
Navigate to
Secure > Policies
and create any scan result policy targeting the default branch, e.g.:name: Test description: '' enabled: true rules: - type: scan_finding scanners: [] vulnerabilities_allowed: 0 severity_levels: [] vulnerability_states: [] branch_type: protected actions: - type: require_approval approvals_required: 1 user_approvers_ids: - 1 approval_settings: block_protected_branch_modification: enabled: true
-
Verify you can no longer force-push to the default branch and see the error message output:
Writing objects: 100% (3/3), 2.84 KiB | 2.84 MiB/s, done. Total 3 (delta 0), reused 0 (delta 0), pack-reused 0 remote: GitLab: Force push is blocked by settings overridden by a security policy To http://gdk.test:3000/root/small-shape-7315 ! [remote rejected] main -> main (pre-receive hook declined) error: failed to push some refs to 'http://gdk.test:3000/root/small-shape-7315'
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #420629 (closed)