Merge Request Approval Policy on Secret Detection blocks even when no secret is detected

Summary

The Merge Request Approval Policy on Secret Detection blocks Merges even if no secret is detected.

Steps to reproduce

  1. Create an empty group
  2. Add a second user (Developer+ role) to your group (if you wanna be autonomous, create a user with a "plus addressing" on your gitlab.com email address)
  3. Create a MR Approval Policy
  4. Use the following YAML, with your own user ID and the user ID from the second developer from your project
type: approval_policy
name: Test MRAP
description: ''
enabled: true
policy_scope:
projects:
  excluding: []
rules:
- type: scan_finding
scanners:
- secret_detection
vulnerabilities_allowed: 0
severity_levels: []
vulnerability_states: []
branch_type: protected
actions:
- type: require_approval
  approvals_required: 1
  user_approvers_ids:
  - 14509426
  - 10994493
- type: send_bot_message
  enabled: true
approval_settings:
block_branch_modification: false
prevent_pushing_and_force_pushing: false
prevent_approval_by_author: false
prevent_approval_by_commit_author: false
remove_approvals_with_new_commit: true
require_password_to_approve: false
fallback_behavior:
fail: closed
  1. Merge your policy
  2. Create another policy
  3. Can be anything. Say a Scan Execution Policy to detect Secrets for example.
  4. Try to merge.
  5. The MR is blocked, requiring an approval while: 1. there is no secret leak, so you shouldn't be blocked 2. you should be able to approve your own MR, according to:
    prevent_approval_by_author: false
    prevent_approval_by_commit_author: false

Example Project

gl-demo-ultimate-odupre/shared-tests/tanuki-racing-sd/tanuki-racing-sd-security-policy-project!3

What is the current bug behavior?

The MR is blocked when it shouldn't You cannot auto-approve your MR when you should

What is the expected correct behavior?

No blocker (and the ability to auto-approve your own MR/commits).

Relevant logs and/or screenshots

Screenshot_2024-10-31_at_17.27.29

Screenshot_2024-10-31_at_17.26.49

Screenshot_2024-10-31_at_17.26.42

Output of checks

This bug happens on GitLab.com

Possible fixes

  1. Override the default behavior for newly generated SPPs to disallow authors to also approve their own merge requests. The project setting may still be applied when/as needed.
  2. Ensure "Why can't I approve" option is appearing / working with security policies.
Edited by Grant Hickman