Security Approval rule isn't optional when it should be
Summary
The Security Approval Rule requires an approval even if no new vulnerabilities are found or if they are medium or low severity.
Steps to reproduce
- Have a any project. (Even one created from project templates)
- Enable Security Approvals within that project
- Create an MR
- Make a change (do not add new vulnerabilities or add low or medium severity ones) and run a pipeline (any pipeline will do).
- Check the MR page, an approval will be required for the Vulnerability-Check rule.
Example Project
Project: https://gitlab.com/vlad.budica/joel-springsample-latest MR: https://gitlab.com/vlad.budica/joel-springsample-latest/-/merge_requests/2
I don't know why I can't set the project as Public the option is greyed out but I can give access to it as needed.
What is the current bug behavior?
Even if the approval from the Vulnerability-Check should be optional, it's alway mandatory
What is the expected correct behavior?
For no new vulnerabilities or for low and medium ones no approval is required.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com, I don't know if this happens on self-managed as well.
Possible fixes
I think the problem comes from the logic that determines if the approval should be required or not.