GitLab Policies does not alert admin on failed/invalid policies

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Situtation

Currently, GitLab Scan result policies allows us to define what security threats are allowed to be merged at an MR level. This is a super useful feature and we are using it every day in our pipeline.

Problem: when an existing policy becomes invalid (i.e. syntax issue or deprecated functionality), it does NOT notify admin or display any sort of errors that it isn't working anymore. Under Policy settings, it still remains enabled with a green check even when the policy is technically invalid and not being enforced at all.

The consequences of this is huge. It would simply allow any critical vulnerabilities to be merged without security approval requirements and without us ever knowing, which defeats the purpose of having a policy in the first place.

Proposal

add an alerting mechanism via email/slack to notify the admin of the policies when a policy no longer working. The alert at minimum should include the following details:

1. Path to the project/group
2. Failure cause
3. Timestamp