Leverage merge request approvals to prevent merging prohibited licenses - License Compliance Approvals in Merge Request MVC
was: disallow merging with blacklisted licenses
Problem to solve
Currently, the license compliance section in the merge request widget only displays newly detected licenses (blacklist, approved, unclassified). Blacklisted licenses are able to be merged without any permission or notification. Need to disallow
blacklisted licenses that are newly committed/detected in a merge request.
Smaller to mid size orgs
- Software Asset Manager (wiki) or user responsible for license compliance
License compliance user job to be done
- User who may be adding licenses via commit: "When my organization has license compliance rules to follow I want to be able to whitelist or blacklist licenses so that I can ensure any new code merged in a project is in compliance". gitlab-design#402 (closed)
- User that is accountable for compliance: "When new licenses are added to a project I want to be aware so I can commit work that is compliant with my organization's rules". gitlab-design#402 (closed)
We are leveraging the approver's group feature to disallow an MR that detects a newly introduced blacklisted license (similar as https://gitlab.com/gitlab-org/gitlab-ee/issues/9928). This is for users that are accountable for license compliance (currently: project Maintainer only can change License Management settings).
1. User blacklists a specific license in the license compliance area, which is currently in Project Settings > CI/CD > License Management (example: https://gitlab.com/gitlab-examples/security/security-reports/-/settings/ci_cd). Note: this assumes that the feature has been configured correctly, there is a UX issue here: https://gitlab.com/gitlab-org/gitlab-ee/issues/12685
Permissions and Security
- Security approvals backend implementation video walkthrough
What does success look like, and how can we measure that?
What is the type of buyer?
Links / references
- To see what our current baseline license compliance UX looks like, see the following issues:
- Add "License-Check" approval rule to backend code to enforce policy
- Add License-Check approval rule to the list of approvers in the MR.
- Add the proper documentation/user guides to use this new feature.