Merge requests - assurance that code changes are reviewed by second authorized individual [group and project access token]
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem to solve
Group and project access tokens (with separate bot accounts) provide a way to by-pass two-eyes merge request approval controls.
Maintainers can create project access tokens with API scope: these tokens can be used to push changes to the Git repository and open merge requests, and these activities show as coming from a different account.
Context
Merge requests are used by some of our customers as part of their framework assurance processes.
Follows is an edited quote from PCI-DSS, (May 2018) but only by way of example. Other compliance and regulatory frameworks are available, and any that cover software development are likely to put in place similar requirements, as it's hard to argue with this as being minimal best practise:
Requirement
6.3.2 Review custom code prior to release to production or customers in order to identify any potential coding vulnerability [..] to include at least [..]:
- Code changes are reviewed by individuals other than the originating code author
Testing procedure
6.3.2.a Examine written [..] procedures and interview [..] personnel to verify that all custom application code changes must be reviewed [..]:
- Code changes are reviewed by individuals other than the originating code author,
6.3.2.b Select a sample of recent custom application changes and verify that custom application code is reviewed
PCI DSS comes with regular auditing, like many frameworks, and it comes with a lot of requirements. So it makes sense to simplify the process by using controls in systems to mandate that processes are followed.
GitLab provides a number of features that can combine to ensure this requirement is met - protected branches, merge requests etc.
Relevant points from merge request approvals:
To prevent merge request authors from approving their own merge requests, enable Prevent author approval in your project’s settings.
Required approvals enforce code reviews by the number and type of users you specify. Without the approvals, the work cannot merge.
Proposal
Implement additional measures to ensure that merge request approvals comply with this sort of requirement when a bot access token has been used - because it's not possible to know whether that bot token is controlled by the author of the code.
Intended users
Feature Usage Metrics
Does this feature require an audit event?
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.