Trigger auto merge check when the security scans are changed
What does this MR do and why?
When the violations are updated, we should recheck the auto merge process
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
| Before | After |
|---|---|
How to set up and validate locally
-
Turn on feature flag
policy_mergability_checkand ensure you have a Docker runner -
In the project, ensure that
mainis a protected branch. -
Create
.gitlab-ci.yml:include: - template: Jobs/Secret-Detection.gitlab-ci.yml test-job: stage: test script: - echo "Testing" -
Go to Secure -> Policies -> New policy. Select "Merge request approval policy".
-
Switch to the
.yaml modeand use the following YAML:type: approval_policy name: Security description: '' enabled: true rules: - type: scan_finding scanners: [] vulnerabilities_allowed: 0 severity_levels: [] vulnerability_states: [] branch_type: protected actions: - type: require_approval approvals_required: 1 role_approvers: - developer approval_settings: block_branch_modification: true prevent_pushing_and_force_pushing: true prevent_approval_by_author: true prevent_approval_by_commit_author: true remove_approvals_with_new_commit: true require_password_to_approve: false fallback_behavior: fail: closed -
Put a sleep in
ee/app/services/security/security_orchestration_policies/update_violations_service.rb:43sleep(20) -
Configure with a merge request && merge
-
Go back to the project and open a new MR
-
Create a
.envfile with `AWS_TOKEN=AKIAZYONPI3G4JNCCWGQ' -
Push, and wait for the CI to run, and the mergeability check should fail
-
Fix the violation by removing the token and push
-
Set Auto merge while polices are syncing
-
The MR should auto merge after syncing the polices
Related to #500015