Require security approval when scans are removed in MR
What does this MR do and why?
Users can work around Security Approvals by removing scanning jobs from the CI config, in the merge request they submit. This MR fixes the behaviour and adds it behind require_approval_on_scan_removal
feature flag.
Feature flag rollout issue: #382079 (closed)
How to set up and validate locally
- Create a project where SAST and Dependency Scanning (DS) is enabled in the
master
branch - Create a Scan Result Policy (
Security & Compliance
->Policies
) to require approval from a group if vulnerabilities are found:
type: scan_result_policy
name: Scan Approval
description: ''
enabled: true
rules:
- type: scan_finding
branches: []
scanners: []
vulnerabilities_allowed: 1
severity_levels:
- critical
- high
- medium
- low
- unknown
- info
vulnerability_states:
- newly_detected
- detected
- confirmed
- dismissed
- resolved
actions:
- type: require_approval
approvals_required: 1
group_approvers_ids:
- 12
- Create a MR that removes the SAST and DS from
.gitlab-ci.yml
and verify that no approval is required - Enable
require_approval_on_scan_removal
feature flag for the project and create a MR again and verify that the MR is blocked for approval.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #37239 (closed)
Edited by Sashi Kumar Kumaresan