Security approval in merge requests MVC (#9928) · Issues · GitLab.org / GitLab

Security approval in merge requests MVC

Summary

In order to allow teams to focus on the most critical security items and avoid things being lost due to volume of results, GitLab now allows customers to automatically approve specifically identified merge requests if there are no vulnerabilities introduced of a specified severity. This will enable a workflow that would allow Security teams to be involved in Merge Request Approval workflow without having to approve every single Merge Request.

Problem to solve

Security checks are performed during the pipeline execution, and reports are available in the merge request widget. GitLab is able to determine if new vulnerabilities have been introduced into the code because of the specific changes of the feature branch.

Our security paradigm states that we don't want to make a pipeline fail and block the entire development process if some vulnerability is found. They could be false positive, or just something that is not more important than the development velocity.

On the other side, we're getting a lot of feedback that unsecure code should not be allowed unless previously approved by the security team. This is considered a strict requirement by some customer, and also a must-have by analysts. Security teams don't want to be involved in each and every merge request, but only if security flaws have been found.

GitLab recently added the feature of Merge Request Approval rules (including adding multiple approval rules) that would enable approval being required by specific individuals on a merge request. The pain point is that in practice, a Security Team would have to review every single merge request, and what they are interested in doing is setting a threshold for when a review is required.

We strongly believe that our security paradigm is valid, but we should consider something that allows companies to deal with their compliance requirements and ensure they are able to use GitLab.

Target audience

Sam, Security Analyst, https://design.gitlab.com/research/personas#persona-sam

Proposal

We recently released multiple approval rules, and we can leverage this feature to build some advanced logic on top of it.

We can use multiple merge request approval rules to create an MVC that auto-approves specifically identified Approvals if there are no vulnerabilities introduced of a certain severity. This will enable a workflow that would allow Security teams to be involved in Merge Request Approval without having to approve every single Merge Request.

Proposed solution

Default to displaying a Vulnerability-Check Merge Request Approval rule with no Approvers added with a tool-tip to point you to documentation on what the Merge Request Approval rule provides
Administrators can update the number of Approvals required to activate the rule and add appropriate approvers using the standard Merge Request approval rule UI
Merge requests themselves utilize existing approval rules UI
The removing of the required approval is performed by lowering the approvals_required to zero for the Vulnerability-Check approval rule when no Critical, High, or Unknown vulnerabilities are introduced
Vulnerability Dismissal does not affect whether approvals_required is adjusted to zero
Usage ping with total number of projects with a Vulnerability-Check project rule that exists with an approval count greater than 0

This avoids the confusing "Double Set of Approvers" or "Special Approvers" that was mentioned in the discovery.

Out of Scope

Compliance focused reporting on merge approvals
Selection Vulnerability Severity level
Adding auto-approval to non-standard (in this case Vulnerability-Check) Approvals

Additional documentation

We should be careful to communicate to users that one Merge request approvals section checkbox might lead to unexpected behavior in this workflow. Allowing users to adjust Approvals in specific Merge Requests could enable un-authorized adjustment to approvers to subvert the workflow.

User Interface

1. Vulnerability-Check approver group rule seen by default in approver menu

2. User opened the Vulnerability-Check group (clicked "edit"), adjusts to 1+ required approvers to activate and selects eligible approvers (name input with Vulnerability-Check disabled)

3. Vulnerability-Check is active, ? on hover displays tooltip explaining the explicit rule

Development Log

Status

backend refactoring of existing Approval Rules implementation to support new rule types https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/13036
backend addition of report_type field within approval_merge_request_rules https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/14050
backend work nearly feature-complete, ongoing discussion on implementation and refactoring https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/13109
frontend https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/14038
backend work to fix issue introduced where default rule_type was being overridden https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/30575
~Documentation https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/30959
backend frontend MR to remove feature flag, activating feature by default https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/15087

Decisions

~~Add default "security approver rule" row to UI~~ (decision was made but missed in implementation, see below)
Include unknown-severity in vulnerability checks
Exclude undefined-severity in vulnerability checks
"Dismissing feedback" will not be disabled when Security Approvals are enabled. Many edgecases need to be considered still
Remove MR approval rules when project approval rule is deleted
Do not create approval rules for open MRs when project approval rule is added (deferred due to complexity)
The existing validation preventing override rules from being less strict than project rules will be bypassed and not apply to report_approver rules
We will introduce a rule_type to approval_project_rules to reduce technical debt and better support complex rule types later
We will not be shipping the placeholder row in the UI as this was missed and won't make the cutoff for %12.1. After research in ux-research#206 (closed) this should be reconsidered

Documentation

https://docs.gitlab.com/ee/user/application_security/index.html#security-approvals-in-merge-requests

### Summary

### Problem to solve

Security checks are performed during the pipeline execution, and reports are available in the merge request widget.
GitLab is able to determine if new vulnerabilities have been introduced into the code because of the specific changes of the feature branch.

Our [security paradigm](https://about.gitlab.com/direction/secure/#security-paradigm) states that we don't want to make a pipeline fail and block the entire development process if some vulnerability is found. They could be false positive, or just something that is not more important than the development velocity.

GitLab recently added the feature of [Merge Request Approval rules](https://docs.gitlab.com/ee/user/project/merge_requests/merge_request_approvals.html#multiple-approval-rules-premium) (including adding multiple approval rules) that would enable approval being required by specific individuals on a merge request. The pain point is that in practice, a Security Team would have to review every single merge request, and what they are interested in doing is setting a threshold for when a review is required.

We strongly believe that our security paradigm is valid, but we should consider something that allows companies to deal with their compliance requirements and ensure they are able to use GitLab.

### Target audience

- Sam, Security Analyst, https://design.gitlab.com/research/personas#persona-sam

### Proposal

We recently released [multiple approval rules](https://docs.gitlab.com/ee/user/project/merge_requests/merge_request_approvals.html#multiple-approval-rules-premium), and we can leverage this feature to build some advanced logic on top of it.

#### Proposed solution

*  Default to displaying a `Vulnerability-Check` Merge Request Approval rule with no Approvers added with a tool-tip to point you to documentation on what the Merge Request Approval rule provides
* Administrators can update the number of Approvals required to activate the rule and add appropriate approvers using the standard Merge Request approval rule UI
* Merge requests themselves utilize existing approval rules UI
* The removing of the required approval is performed by lowering the `approvals_required` to zero for the **Vulnerability-Check** approval rule when no `Critical`, `High`, or `Unknown` vulnerabilities are introduced
* Vulnerability Dismissal does not affect whether `approvals_required` is adjusted to zero
* Usage ping with total number of projects with a `Vulnerability-Check` project rule that exists with an approval count greater than 0

This avoids the confusing "Double Set of Approvers" or "Special Approvers" that was [mentioned](https://gitlab.com/gitlab-org/gitlab-ee/issues/10391#note_166138343) in the discovery.

##### Out of Scope
* Compliance focused reporting on merge approvals
* Selection Vulnerability Severity level
* Adding auto-approval to non-standard (in this case `Vulnerability-Check`) Approvals

##### Additional documentation

We should be careful to communicate to users that one `Merge request approvals section` checkbox might lead to unexpected behavior in this workflow. Allowing users to adjust Approvals in specific Merge Requests could enable un-authorized adjustment to approvers to subvert the workflow.

##### User Interface
**1.** `Vulnerability-Check` approver group rule seen by default in approver menu
![1](/uploads/2023f7c93e4fa3c6c659a372e807a21b/1.png)

**2.** User opened the `Vulnerability-Check` group (clicked "edit"), adjusts to 1+ required approvers to activate and selects eligible approvers (name input with `Vulnerability-Check` disabled)
![2](/uploads/08022d368d0ef1f057085c2ca929834d/2.png)

**3.** `Vulnerability-Check` is active, **?** on hover displays tooltip explaining the explicit rule
![3](/uploads/fd4803c762d6c85106fc7ef51f678e4e/3.png)

## Development Log

### Status

- [x] ~backend refactoring of existing Approval Rules implementation to support new rule types https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/13036
 - [x] ~backend addition of `report_type` field within `approval_merge_request_rules` https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/14050
 - [x] ~backend work nearly feature-complete, ongoing discussion on implementation and refactoring https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/13109
 - [x] ~frontend https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/14038
 - [x] ~backend work to fix issue introduced where default rule_type was being overridden https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/30575
 - [x] ~Documentation https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/30959
 - [x] ~backend ~frontend MR to remove feature flag, activating feature by default https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/15087

### Decisions

- ~~Add default "security approver rule" [row to UI](https://gitlab.com/gitlab-org/gitlab-ee/issues/9928#note_174026095)~~ (decision was made but missed in implementation, see below)
 - [Include](https://gitlab.com/gitlab-org/gitlab-ee/issues/9928#note_173056601) `unknown`-severity in vulnerability checks
 - [Exclude](https://gitlab.com/gitlab-org/gitlab-ee/issues/9928#note_172411146) `undefined`-severity in vulnerability checks
 - "Dismissing feedback" [will not be disabled](https://gitlab.com/gitlab-org/gitlab-ee/issues/9928#note_175525965) when Security Approvals are enabled. Many edgecases need to be considered still
 - [Remove MR approval rules when project approval rule is deleted](https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/13109#note_179859000)
 - [Do not create approval rules for open MRs when project approval rule is added (deferred due to complexity)](https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/13109#note_180159378)
 - The [existing validation](https://gitlab.com/gitlab-org/gitlab-ee/blob/32b9763e9371326d137d053b51dce4bd8df31fbc/ee/app/models/approval_merge_request_rule.rb#L82-89) preventing override rules from being less strict than project rules [will be bypassed and not apply to `report_approver` rules](https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/13109#note_182494499)
 - [We will introduce a `rule_type` to `approval_project_rules`](https://gitlab.com/gitlab-org/gitlab-ee/issues/9928#note_190385002) to reduce ~"technical debt" and better support complex rule types later
 - [We will not be shipping the placeholder row in the UI](https://gitlab.com/gitlab-org/gitlab-ee/issues/9928#note_190385002) as this was missed and won't make the cutoff for %"12.1". After research in ux-research#206 this should be reconsidered

### Documentation

- https://docs.gitlab.com/ee/user/application_security/index.html#security-approvals-in-merge-requests

Edited Apr 24, 2020 by Philippe Lafoucrière

Discussion
Designs