Compare to completed pipelines with reports for `scan_finding` rules
What does this MR do and why?
Fixes a bug introduced in !140348 (merged): Comparison pipelines for scan_finding policies must be complete and have security reports.
How to set up and validate locally
-
Create a new project and enable the feature flag:
Feature.enable(:scan_result_policy_merge_base_pipeline, Project.last) -
Commit the following
.gitlab-ci.yml:include: - template: Security/Dependency-Scanning.gitlab-ci.yml rules: - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $SKIP_DS == null' - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml rules: - if: '$CI_PIPELINE_SOURCE == "merge_request_event"' dummy_job: script: exit 0 -
Commit the following
Gemfile.lock:GEM remote: https://rubygems.org/ specs: rack (3.0.4.1) PLATFORMS arm64-darwin-22 DEPENDENCIES rack BUNDLED WITH 2.4.22 -
Navigate to
Secure > Policiesand create the following scan result policy:type: scan_result_policy name: Deny newly detected vulnerabilities enabled: true actions: - type: require_approval approvals_required: 1 user_approvers_ids: - 1 rules: - type: scan_finding scanners: [] vulnerabilities_allowed: 0 severity_levels: [] vulnerability_states: - newly_detected branch_type: protected -
Open an MR that adds a new unrelated file. Verify the MR does not require approval.
-
Navigate to
Settings > CI/CDand configure theSKIP_DSvariable. -
Commit a new unrelated file to the default branch.
-
Commit a new unrelated file to the MR branch.
-
Verify that the MR does not require approval.
-
Check out
masterand execute:Security::ScanResultPolicies::UpdateApprovalsService.new(merge_request: MergeRequest.last, pipeline: MergeRequest.last.actual_head_pipeline).execute -
Verify that the MR requires approval.
Related to #428518 (closed)
Edited by Dominic Bauer