Skip to content

Fix resetting approvals when pipeline is manual

Sashi Kumar Kumaresan requested to merge sk/419789-fix-manual-pipelines into master

What does this MR do and why?

Fixes a bug with MR approval policy where a manual pipeline is not considered for comparison when resetting the approval rules.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Before After
Screenshot_2024-04-22_at_11.46.22_PM Screenshot_2024-04-22_at_11.46.15_PM

How to set up and validate locally

  1. Create project, and create a new branch and make this branch a protected branch.
  2. Add a scan result policy that requires approval when new vulnerabilities are detected:
name: SRP
description: ''
enabled: true
actions:
- type: require_approval
approvals_required: 1
group_approvers_ids:
- 15017953
rules:
- type: scan_finding
scanners:
- dependency_scanning
- sast
vulnerabilities_allowed: 0
severity_levels:
- critical
- high
- medium
vulnerability_states: []
branch_type: protected
  1. Add .gitlab-ci.yml file to the new branch you created in Step 1 and make one of the security scan as manual:
semgrep-sast:
stage: test
script:
  - cp gl-sast-report_no_vulnerabilities.json gl-sast-report.json
artifacts:
  paths:
    - gl-sast-report.json
  reports:
    sast:
    - gl-sast-report.json

gemnasium-maven-dependency_scanning:
stage: test
when: manual
allow_failure: false
script:
  - cp gl-dependency-scanning-report_no_findings.json gl-dependency-scanning-report.json
artifacts:
  paths:
    - gl-dependency-scanning-report.json
  reports:
    dependency_scanning:
    - gl-dependency-scanning-report.json

Add these files to the project:

gl-sast-report_no_vulnerabilities.json

gl-dependency-scanning-report_no_findings.json

gl-sbom-maven-maven.cdx.json

  1. Create an MR to update the README and verify that the approval is not required

Addresses #419789 (closed)

Edited by Sashi Kumar Kumaresan

Merge request reports

Loading