Add documentation for MR approval policies
The situation creates an interesting security process question for an organization that uses MR approval policies: who is responsible for addressing vulnerabilities identified by CVS in the default branch? Perhaps it's worth documenting the situation, even if we don't make a recommendation.
Can we add to our documentation to explain:
- why vulnerabilities will not surface in merge request reported after code merged to default branch
- Reason:
the core issue here is that customer has a
Merge request approval
policy which runs Dependency Scanning, DAST, and SAST. The scans ran on the branch and did not surface any vulnerabilities in the Merge Request, nor were the vulnerabilities reported in the Pipeline's Security tabThe scanner ran on the pipeline and didn't report that vulnerability. That vulnerability is later detected by the continuous vulnerability scanning feature.