Fix resetting approvals when pipeline is manual
What does this MR do and why?
Fixes a bug with MR approval policy where a manual pipeline is not considered for comparison when resetting the approval rules.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Before | After |
---|---|
How to set up and validate locally
- Create project, and create a new branch and make this branch a protected branch.
- Add a scan result policy that requires approval when new vulnerabilities are detected:
name: SRP
description: ''
enabled: true
actions:
- type: require_approval
approvals_required: 1
group_approvers_ids:
- 15017953
rules:
- type: scan_finding
scanners:
- dependency_scanning
- sast
vulnerabilities_allowed: 0
severity_levels:
- critical
- high
- medium
vulnerability_states: []
branch_type: protected
- Add
.gitlab-ci.yml
file to the new branch you created in Step 1 and make one of the security scan as manual:
semgrep-sast:
stage: test
script:
- cp gl-sast-report_no_vulnerabilities.json gl-sast-report.json
artifacts:
paths:
- gl-sast-report.json
reports:
sast:
- gl-sast-report.json
gemnasium-maven-dependency_scanning:
stage: test
when: manual
allow_failure: false
script:
- cp gl-dependency-scanning-report_no_findings.json gl-dependency-scanning-report.json
artifacts:
paths:
- gl-dependency-scanning-report.json
reports:
dependency_scanning:
- gl-dependency-scanning-report.json
Add these files to the project:
gl-sast-report_no_vulnerabilities.json
gl-dependency-scanning-report_no_findings.json
- Create an MR to update the README and verify that the approval is not required
Addresses #419789 (closed)
Edited by Sashi Kumar Kumaresan