Prevent policy bot message on non-applicable branches
What does this MR do and why?
This MR removes policy bot message when there are no scan_finding
or license_scanning
rules applicable to the current branch.
Merge request approval policies are applied only to protected branches and if there's MR targeting a non-protected branch, we don't want the policy bot comment to be created, because the approvals will be filtered here and displayed as Optional
.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
- Create a new project
- Create CI configuration
include: - template: Security/Secret-Detection.gitlab-ci.yml - template: Jobs/Dependency-Scanning.gitlab-ci.yml build-job: script: - echo "Compiling the code..." - echo "Compile complete."
- Go to Secure -> Policies and create a new policy. Example:
type: approval_policy name: Sec & Lic description: '' enabled: true rules: - type: scan_finding scanners: [] vulnerabilities_allowed: 0 severity_levels: [] vulnerability_states: [] branch_type: protected - type: license_finding match_on_inclusion: true license_types: - MIT License license_states: - newly_detected branch_type: protected actions: - type: require_approval approvals_required: 1 role_approvers: - developer
- Go to Code -> Branches and create a new
unprotected
branch from themain
branch - Create MR which adds violation and choose
unprotected
as the target branch. Example:diff --git a/.env b/.env new file mode 100644 index 0000000000000000000000000000000000000000..ee4bf74ac3b632173dafc09e74ecd68c298bdfa1 --- /dev/null +++ b/.env @@ -0,0 +1 @@ +AWS_TOKEN=AKIAZYONPI3G4JNCCWGQ \ No newline at end of file diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000000000000000000000000000000000000..e5041aff4030dc9f8a00823551126c3ad4c315fe --- /dev/null +++ b/requirements.txt @@ -0,0 +1 @@ +pluggy==1.3.0 \ No newline at end of file
- Verify that no bot comment is created
- Change the target branch to
main
- Verify that bot comment is created
- Change the target branch again to
unprotected
- Verify that bot comment gets updated to "violations resolved"