Skip to content

Spike: Store analyzers results metadata to allow MR Approval Policies decide if approval should be required or not

Time-box: 4 days

Why are we doing this work

Our team has been actively involved in Support exit codes in Security Policies (#465885), brainstorming potential solutions to enhance the integration between MR Approval Policies, Scan Execution Policies, and Analyzers. One of the key challenges we've identified is the efficient storage and retrieval of additional information provided by the analyzer during MR Approval Policies evaluation.

After we store that data internally, we need to have some internal API (class/module) to get some information about the scan and decide what we should do with required approvals if policy is declared in a given project. Example questions that we should be able to get answers:

  • Did it or did it not run?
  • If it didn't run, why?
  • If it did run, what were the settings? e.g.:
    • What was scanned?
    • What was it scanned for?
    • What tools/versions were used for this?
    • Where can the results be found?

One insight from that discussion that might be useful when solving this Spike:

I agree, we already have security_scans to store information about performed scans. Currently we are creating this after pipeline is completed, perhaps we could create it before we execute pipeline, based on pipeline configuration and then analyzers would be ability to return information that could be stored there and then we could have some Metadata API as suggested. 🤔

As an expected result of this Spike, we would like to get the following:

  • PoC MR with proposed changes for backend (GraphQL API, database changes, etc.) or initial plan how to implement it,
  • implementation issues for backend,