Ignore scan_finding rule for MR against unprotected branches

What does this MR do and why?

Addresses #383603 (closed)

This MR fixes the bug in Scan Result Policy, where any MR targeting unprotected branch have the approval rule applied.

Screenshots or screen recordings

Before

After

How to set up and validate locally

To follow. I will run through this in a new project.

1. create a group, example: mygroup

2. create repo and Initialize it with CI config:

   mkdir somedirectory
   cd somedirectory
   git init .
   cat > .gitlab-ci.yml <<EOF
   include:
     - template: Jobs/Dependency-Scanning.gitlab-ci.yml
   EOF
   git add .gitlab-ci.yml
   git commit -a -m 'init'
   git remote add origin <remote>
   git push -u origin HEAD

3. Create the scan policy.

   • Security & Compliance > Policies

   • New policy

   • Scan result policy: Select policy

   • yaml mode

   • substitute a valid user for johndoe_

   • ensure the user has access to the group and has developer or greater permissions.

     type: scan_result_policy
     name: 'my policy'
     description: 'require approval for vulnerabilities'
     enabled: true
     rules:
       - type: scan_finding
         branches: []
         scanners: []
         vulnerabilities_allowed: 0
         severity_levels:
           - critical
           - high
           - medium
           - low
         vulnerability_states:
           - newly_detected
           - detected
           - confirmed
     actions:
       - type: require_approval
         approvals_required: 1
         user_approvers:
           - johndoe_

   • merge

   • note: severity_levels and vulnerability_states set like this to ensure

4. settings > repository > protected branches - confirm the default branch (likely main or master ) is protected

5. create an unprotected branch

   git checkout -b play
   git push -u origin HEAD

6. create a feature branch; push it and open a MR to the default branch.

   • Note reference to master - change this to main if that's your default branch

   git checkout -b vulns
   #
   # copy package.json and yarn.lock from https://gitlab.com/gitlab-examples/security/yarn-vulnerabilities
   #
   git add package.json yarn.lock
   git commit -a -m 'add vulns'
      ## master in next line!
   git push -o merge_request.create -o merge_request.target=master \
     -o merge_request.title="merge vulns to protected branch" \
     -o merge_request.description="merge vulns to protected branch" \
     -u origin HEAD

7. create a feature branch; push it and open a MR to the unprotected branch.

   git checkout -b vulns2play
   git push -o merge_request.create -o merge_request.target=play \
     -o merge_request.title="merge vulns to unprotected branch" \
     -o merge_request.description="merge vulns to unprotected branch" \
     -u origin HEAD

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• I have evaluated the MR acceptance checklist for this MR.