Add worker to sync approval rules with preexisting state
What does this MR do and why?
This MR fixes a bug with scan result policy for pre_existing
vulnerability states(confirmed
, detected
, dismissed
, resolved
) where the approvals are checked only after the pipeline is complete. We don't need to wait for the pipeline to complete to enforce approval for pre-existing vulnerability states. The fix is to introduce a new worker that checks approvals even before the pipeline is complete and whenever the MR is updated. This is introduced behind a feature flag to reduce the risk of introducing a breaking change.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
- Create a project with
.gitlab-ci.yml
with a security scan that introduces some vulnerabilities
include:
- template: Security/Container-Scanning.gitlab-ci.yml
container_scanning:
variables:
CS_IMAGE: 'citizenstig/dvwa:latest'
- Create scan result policy to require approval on pre-existing vulnerability states
type: scan_result_policy
name: Pre-Existing Vulnerabilities
description: ''
enabled: true
rules:
- type: scan_finding
scanners: []
vulnerabilities_allowed: 0
severity_levels: []
vulnerability_states:
- confirmed
- dismissed
- resolved
- detected
branch_type: protected
actions:
- type: require_approval
approvals_required: 1
group_approvers_ids:
- 22
approval_settings:
prevent_pushing_and_force_pushing: false
- Create a MR that updates the README and notice that the approval is enforced (along with bot comment) before the pipeline is complete
MR with approvals enforced before pipeline is complete
- Create a MR that skips the CI by adding
[ci skip]
to the commit message and notice that the MR requires approvals for pre-existing vulnerabilities
MR with CI Skipped or no pipeline
- Create a new project or update the policy to require approval on pre-existing vulnerability states but with different filter (maybe
severity
orscanner
) so that the project's vulnerabilities does not violate the rule and create a MR to update the readme and notice that the approvals are not enforced
MR with no violations
Addresses #425482 (closed)
Edited by Sashi Kumar Kumaresan