Skip to content

Require approvals in case of pre-existing vulnerabilities

Dominic Bauer requested to merge 379110-require-remove-approvals-earlier-when-scan-result-policy-is-enforced-based-on-pre-existing into master

What does this MR do and why?

Scan result policies allow requiring approvals for merge requests depending on the result of security scans.

Currently, the rules in a policy are evaluated against findings from merge request pipelines only. This is a problem, because pre-existing vulnerabilities are not taken into account. This MR fixes this by evaluating all-non-newly-detected rules against existing findings from other pipelines.

How to set up and validate locally

  1. Create a new group and add at least one other member to it
  2. Create a new project and commit the following .gitlab-ci.yml to the default branch:
  container_scanning:
    image: "busybox:latest"
    stage: test
    allow_failure: true
    artifacts:
      reports:
        container_scanning: gl-container-scanning-report.json
      paths: [gl-container-scanning-report.json]
    dependencies: []
    script:
      - wget -O gl-container-scanning-report.json https://gitlab.com/-/snippets/2438327/raw/main/gl-container-scanning-report-1-critical.json?inline=false
    rules:
      - if: $RUN_MANUALY

  other_job:
    image: busybox:latest
    stage: test
    script:
      - echo "This is other branch"
  1. Navigate to Security & Compliance -> Policies, add a new scan result policy in YAML mode with the following contents with an updated group_approvers_id:
name: Enforce check when there is at least 1 critical
description: ''
enabled: true
actions:
- type: require_approval
  approvals_required: 1
  group_approvers_ids:
  - # add your group ID
rules:
- type: scan_finding
  branches: []
  scanners: []
  vulnerabilities_allowed: 0
  severity_levels:
  - critical
  vulnerability_states:
  - detected
  1. Run pipeline manually and set RUN_MANUALY variable to "true"
  2. Add new MR with some change, unrelated to .gitlab-ci.yml file
  3. Verify that the MR does not require approval
  4. Enable the feature flag for the project:
Feature.enable(:enforce_scan_result_policies_for_preexisting_vulnerabilities, Project.find_by(name: "my-project"))
  1. Add new MR with some change, unrelated to .gitlab-ci.yml file
  2. Verify that the MR does require approval

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #379110 (closed)

Edited by Dominic Bauer

Merge request reports