Automatic merge for Auto Remediation patches
Problem to solve
Auto Remediation is able to create a new merge request if a fix is available for a given vulnerability.
Changes should by automatically merged into the original branch if the two following conditions are met:
- the pipeline is green (patch is not introducing errors)
- the vulnerability has been fixed by the change (via security reports feedback)
Target audience
- Sasha, Software Developer
- Sam, Security Analyst
Proposal
We can leverage the auto-merge on green pipeline functionality, but this flow will not give us feedback about the vulnerability itself. There is no reason to merge if the patch is not solving the original problem.
In order to check that the vulnerability has been fixed, we should:
- identify the original vulnerability we are targeting
- check if it is still present in the new report
Since we are creating the new branch from the vulnerable one, we could leverage the "fixed" information in the security report to spot if the change is effective.
The pipeline should be automatically merged only if this check is green.
After merging, we should notify users about this process. We should post a comment in the original merge request (if any).
What does success look like, and how can we measure that?
Number of pipelines automatically merged.