Compare results for scan_finding approval rules from multiple pipelines
What does this MR do and why?
This MR adds ability for Scan Finding Approval Rules (created from Scan Result Policies) to verify results from multiple pipelines related to given source branch and target branch SHA.
How to set up and validate locally
- Create new project
- Enable
multi_pipeline_scan_result_policies
feature for this project - Add
.gitlab-ci.yml
file that includes detached pipeline:container_scanning: image: "busybox:latest" stage: test allow_failure: true artifacts: reports: container_scanning: gl-container-scanning-report.json paths: [gl-container-scanning-report.json] dependencies: [] script: - wget -O gl-container-scanning-report.json https://gitlab.com/-/snippets/2438327/raw/main/gl-container-scanning-report-empty.json?inline=false rules: - if: $CONTAINER_SCANNING_DISABLED when: never - if: $CI_COMMIT_BRANCH other_job: image: busybox:latest stage: test script: - echo "This is other branch" detachedjob: rules: - when: always script: - echo "Hello from detached job"
- Add Scan Result Policy (go to
Security & Compliance -> Policies
), clickNew Policy
, selectScan Result Policies
and add new policy and merge created MR:name: Enforce check when there is at least 1 critical description: '' enabled: true actions: - type: require_approval approvals_required: 1 group_approvers_ids: - # add your group ID rules: - type: scan_finding branches: [] scanners: [] vulnerabilities_allowed: 0 severity_levels: - critical vulnerability_states: - newly_detected
- Add new MR with change to
.gitlab-ci.yml
:diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 0cf690cc8622c2262dd1ea492e4019e40dc078d0..46167e7f57632551d085397fe6994a596d4c1ae3 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -31,7 +31,7 @@ container_scanning: paths: [gl-container-scanning-report.json] dependencies: [] script: - - wget -O gl-container-scanning-report.json http://gdk.test:3000/-/snippets/22/raw/main/gl-container-scanning-report-empty.json?inline=false + - wget -O gl-container-scanning-report.json http://gdk.test:3000/-/snippets/22/raw/main/gl-container-scanning-report-1-critical.json?inline=false rules: - if: $CONTAINER_SCANNING_DISABLED when: never
- Verify if approvals in the MR are required
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #379108 (closed)