Require approvals for missing policy scans without target pipeline (!161905) · Merge requests · GitLab.org / GitLab

Dominic Bauer requested to merge rfh-336-require-approvals-missing-scans-without-target-pipeline into master Aug 06, 2024

What does this MR do and why?

Fixes a bug in the merge request approval policy evaluation logic in the case of an absent target branch pipeline. Policies that mandate security scans that are absent from the source branch pipeline are currently erroneously unblocked. This MR fixes that behaviour.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

Create a new project
Navigate to Secure > Policies and create the following Merge request approval policy:

type: approval_policy
name: Dependency Scanning
description: ''
enabled: true
rules:
  - type: scan_finding
    scanners:
      - dependency_scanning
    vulnerabilities_allowed: 0
    severity_levels: []
    vulnerability_states: []
    branch_type: protected
actions:
  - type: require_approval
    approvals_required: 1
    role_approvers: [owner]

Checkout a new branch and commit the following .gitlab-ci.yml:

include:
  - template: Jobs/Container-Scanning.gitlab-ci.yml

container_scanning:
  variables:
    CS_IMAGE: alpine

Open a merge request for the branch and verify it requires approval

Edited Aug 06, 2024 by Dominic Bauer

Require approvals for missing policy scans without target pipeline

What does this MR do and why?

MR acceptance checklist

How to set up and validate locally

Merge request reports