Better display of security approvers in the Merge Request view
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Context :
Our AppSec Policy requires security approval for vulnerabilities found in Merge Requests, using MR Approval policies. Security approvers are defined through a Gitlab group. We use the same group for all teams, regardless of the team entity.
Problem to solve :
Only direct members of our approvers group with at least read access to the Gitlab project can approve the Merge Request with a vulnerability. But in the Merge Request view, we see all members of our approvers group as approvers.
To be clearer, we need to see only members who have access to the project, so only those who can effectively approve the Merge Request. This causes confusion because we don't really know who can approve the Merge Request.
Intended users :
Delaney (Development Team Lead)
Amy (Application Security Engineer)
Alex (Security Operations Engineer)
User experience goal :
The user should only be able to see approvers who have access to their project and are therefore authorized to approve their Merge Request.
Further details
In this example, we have two eligible approvers, but only one has access to the project and can effectively approve the Merge Request. Project members might not understand why they need approval from someone who works for another entity.
Available Tier
Ultimate/Gold
What does success look like, and how can we measure that?
Only approver who are part of the security approvers group and have access to the project related to the Merge Request are displayed in the Merge Request view.
Links / references
Used Gitlab feature, Merge Request approval policies :