Implement audit events related to security policy violations in merge requests

Description

This task involves implementing audit events for security policy violations in merge requests to help security and compliance teams monitor policy enforcement and violations.

Links / references

• Related to Epic: Security Policy Audit Events
• Spike issue: #528565 (closed)
• POC MR: !188432 (closed)

Use Cases

• Generate an audit event when a policy violation is detected from an MR approval policy ( Stream only )
• Generate an audit event when a policy violation is resolved in the same MR ( Stream only )
• Generate an audit event when an MR is merged with violations, differentiating between:
  • Violated MR merged with approval
  • MR merged without policy-related approval due to "fail open" configuration

Implementation Details

• Utilize the EventStore and MergeRequests::MergedEvent
• Implement in ProcessMergeAuditEventWorker and trigger CleanupMergeRequestViolationsWorker after merged events are recorded. Ref
• Implementation is behind the feature flag for controlled rollout

Technical Considerations:

• When MR is merged with violations, there can be two types of scenarios: 1. Violated MR was merged with approval, and 2. The policy was "fail open" and user was able to merge the MR without policy-related approval. Track both types of events but with a differentiation to help identify the events.
• Do not track policy violations with MR approval policy type "any_merge_request"

Success Criteria

• Audit events are generated for all violation scenarios with differentiate between different violation scenarios

Verification Steps

• Switch to admin mode and setup audit event streaming
  • Doc: https://docs.gitlab.com/administration/compliance/audit_event_streaming/#add-a-new-http-destination
  • Localhost path: http://gdk.test:3000/admin/audit_logs?tab=streams
  • HTTP Listener: https://pipedream.com/
• Create a project
• Navigate to "Secure => Policies => New policy"
• Create a Merge Request Approval policy
• Create an MR that violates the policy
• Verify audit event is recorded for the violation in SPP project
• Resolve the violation and verify an audit event is recorded in SPP project
• Merge the MR with approval despite violations and verify an audit event is generated for the MR merged with violation in the SPP project.
• Test "fail open" scenario - when MR is merged without approval, despite policy violation and verify appropriate audit event is recorded