Ignore scan_finding rule for MR against unprotected branches
What does this MR do and why?
Addresses #383603 (closed)
This MR fixes the bug in Scan Result Policy, where any MR targeting unprotected branch have the approval rule applied.
Screenshots or screen recordings
Before
After
How to set up and validate locally
To follow. I will run through this in a new project.
-
create a group, example:
mygroup
-
create repo and Initialize it with CI config:
mkdir somedirectory cd somedirectory git init . cat > .gitlab-ci.yml <<EOF include: - template: Jobs/Dependency-Scanning.gitlab-ci.yml EOF git add .gitlab-ci.yml git commit -a -m 'init' git remote add origin <remote> git push -u origin HEAD
-
Create the scan policy.
-
Security & Compliance > Policies
-
New policy
-
Scan result policy: Select policy
-
yaml mode
-
substitute a valid user for
johndoe_
-
ensure the user has access to the group and has developer or greater permissions.
type: scan_result_policy name: 'my policy' description: 'require approval for vulnerabilities' enabled: true rules: - type: scan_finding branches: [] scanners: [] vulnerabilities_allowed: 0 severity_levels: - critical - high - medium - low vulnerability_states: - newly_detected - detected - confirmed actions: - type: require_approval approvals_required: 1 user_approvers: - johndoe_
-
merge
-
note:
severity_levels
andvulnerability_states
set like this to ensure
-
-
settings > repository > protected branches - confirm the default branch (likely
main
ormaster
) is protected -
create an unprotected branch
git checkout -b play git push -u origin HEAD
-
create a feature branch; push it and open a MR to the default branch.
-
Note reference to master - change this to
main
if that's your default branch
git checkout -b vulns # # copy package.json and yarn.lock from https://gitlab.com/gitlab-examples/security/yarn-vulnerabilities # git add package.json yarn.lock git commit -a -m 'add vulns' ## master in next line! git push -o merge_request.create -o merge_request.target=master \ -o merge_request.title="merge vulns to protected branch" \ -o merge_request.description="merge vulns to protected branch" \ -u origin HEAD
-
Note reference to master - change this to
-
create a feature branch; push it and open a MR to the unprotected branch.
git checkout -b vulns2play git push -o merge_request.create -o merge_request.target=play \ -o merge_request.title="merge vulns to unprotected branch" \ -o merge_request.description="merge vulns to unprotected branch" \ -u origin HEAD
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.