No Vulnerability Approval Required With Detached Pipeline
Summary
When any job runs in a detached pipeline it causes the vulnerability approvals to be bypassed and vulnerabilities do not show in the security widget.
Steps to reproduce
- Create a GitLab project
- Configure the project to require vulnerability approvals for all scanners, for all severities, for all branches, and add some approvers
- Create a branch and add code with known vulnerabilities. The railsgoat project is a good candidate for this.
- Configure the .gitlab-ci.yml file as follows to run SAST and Dependency Scanning:
---
include:
- template: Security/Dependency-Scanning.gitlab-ci.yml
- template: Security/SAST.gitlab-ci.yml
- Push up the branch and open a merge request
- Observe that vulnerabilities are found, the security widget shows vulnerabilities, and approval is required to merge the merge request
- Change the .gitlab-ci.yml as follows to create a dummy job that causes a detached pipeline to occur:
---
include:
- template: Security/Dependency-Scanning.gitlab-ci.yml
- template: Security/SAST.gitlab-ci.yml
detachedjob:
rules:
- when: always
script:
- echo "Hello from detached job"
- Commit and push the change
- Observe that no vulnerability approval is required and no security widget is shown
What is the current bug behavior?
Vulnerability approval is not required for merge requests that contain vulnerabilities when any job gets run in a detached pipeline. The security widget is not shown either.
What is the expected correct behavior?
Vulnerability approval is required for merge requests that contain vulnerabilities even if a detached pipeline occurs, and the security widget shows the vulnerabilities identified.
Relevant logs and/or screenshots
Possible fixes
None
Edited by Brett Lischalk