Skip to content

Add scan result policy access check

Dominic Bauer requested to merge 420629-add-scan-result-policy-access-check into master

What does this MR do and why?

This MR disables force-pushes to projects affected by at least one active scan result policy. The presence of a policy also overrides the "Allowed to force push" option of protected branches.

How to set up and validate locally

  • Create a new project and toggle the feature flag:

    Feature.enable(:scan_result_policies_block_force_push, Project.last)
  • Clone the repository locally, amend the initial commit, and verify you can force-push the amended commit

  • Navigate to Settings > Repository, expand the Protected branches section and enable the Allowed to force push toggle for the default branch

  • Navigate to Secure > Policies and create any scan result policy targeting the default branch, e.g.:

    name: Test
    description: ''
    enabled: true
    rules:
    - type: scan_finding
      scanners: []
      vulnerabilities_allowed: 0
      severity_levels: []
      vulnerability_states: []
      branch_type: protected
    actions:
    - type: require_approval
      approvals_required: 1
      user_approvers_ids:
      - 1
    approval_settings:
      block_protected_branch_modification:
        enabled: true
  • Verify you can no longer force-push to the default branch and see the error message output:

    Writing objects: 100% (3/3), 2.84 KiB | 2.84 MiB/s, done.
    Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
    remote: GitLab: Force push is blocked by settings overridden by a security policy
    To http://gdk.test:3000/root/small-shape-7315
     ! [remote rejected] main -> main (pre-receive hook declined)
    error: failed to push some refs to 'http://gdk.test:3000/root/small-shape-7315'

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #420629 (closed)

Merge request reports

Loading