Skip to content

Prevent policy bot message on non-applicable branches

What does this MR do and why?

This MR removes policy bot message when there are no scan_finding or license_scanning rules applicable to the current branch.

Merge request approval policies are applied only to protected branches and if there's MR targeting a non-protected branch, we don't want the policy bot comment to be created, because the approvals will be filtered here and displayed as Optional.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Create a new project
  2. Create CI configuration
    include:
      - template: Security/Secret-Detection.gitlab-ci.yml
      - template: Jobs/Dependency-Scanning.gitlab-ci.yml
    
    build-job:
      script:
        - echo "Compiling the code..."
        - echo "Compile complete."
  3. Go to Secure -> Policies and create a new policy. Example:
    type: approval_policy
    name: Sec & Lic
    description: ''
    enabled: true
    rules:
      - type: scan_finding
        scanners: []
        vulnerabilities_allowed: 0
        severity_levels: []
        vulnerability_states: []
        branch_type: protected
      - type: license_finding
        match_on_inclusion: true
        license_types:
          - MIT License
        license_states:
          - newly_detected
        branch_type: protected
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers:
          - developer
  4. Go to Code -> Branches and create a new unprotected branch from the main branch
  5. Create MR which adds violation and choose unprotected as the target branch. Example:
    diff --git a/.env b/.env
    new file mode 100644
    index 0000000000000000000000000000000000000000..ee4bf74ac3b632173dafc09e74ecd68c298bdfa1
    --- /dev/null
    +++ b/.env
    @@ -0,0 +1 @@
    +AWS_TOKEN=AKIAZYONPI3G4JNCCWGQ
    \ No newline at end of file
    diff --git a/requirements.txt b/requirements.txt
    new file mode 100644
    index 0000000000000000000000000000000000000000..e5041aff4030dc9f8a00823551126c3ad4c315fe
    --- /dev/null
    +++ b/requirements.txt
    @@ -0,0 +1 @@
    +pluggy==1.3.0
    \ No newline at end of file
  6. Verify that no bot comment is created
  7. Change the target branch to main
  8. Verify that bot comment is created
  9. Change the target branch again to unprotected
  10. Verify that bot comment gets updated to "violations resolved"

Merge request reports

Loading