Require approvals in case of pre-existing vulnerabilities
requested to merge 379110-require-remove-approvals-earlier-when-scan-result-policy-is-enforced-based-on-pre-existing into master
What does this MR do and why?
Scan result policies allow requiring approvals for merge requests depending on the result of security scans.
Currently, the rules in a policy are evaluated against findings from merge request pipelines only. This is a problem, because pre-existing vulnerabilities are not taken into account. This MR fixes this by evaluating all-non-newly-detected rules against existing findings from other pipelines.
How to set up and validate locally
- Create a new group and add at least one other member to it
- Create a new project and commit the following
.gitlab-ci.yml
to the default branch:
container_scanning:
image: "busybox:latest"
stage: test
allow_failure: true
artifacts:
reports:
container_scanning: gl-container-scanning-report.json
paths: [gl-container-scanning-report.json]
dependencies: []
script:
- wget -O gl-container-scanning-report.json https://gitlab.com/-/snippets/2438327/raw/main/gl-container-scanning-report-1-critical.json?inline=false
rules:
- if: $RUN_MANUALY
other_job:
image: busybox:latest
stage: test
script:
- echo "This is other branch"
- Navigate to Security & Compliance -> Policies, add a new scan result policy in YAML mode with the following contents with an updated
group_approvers_id
:
name: Enforce check when there is at least 1 critical
description: ''
enabled: true
actions:
- type: require_approval
approvals_required: 1
group_approvers_ids:
- # add your group ID
rules:
- type: scan_finding
branches: []
scanners: []
vulnerabilities_allowed: 0
severity_levels:
- critical
vulnerability_states:
- detected
- Run pipeline manually and set
RUN_MANUALY
variable to"true"
- Add new MR with some change, unrelated to
.gitlab-ci.yml
file - Verify that the MR does not require approval
- Enable the feature flag for the project:
Feature.enable(:enforce_scan_result_policies_for_preexisting_vulnerabilities, Project.find_by(name: "my-project"))
- Add new MR with some change, unrelated to
.gitlab-ci.yml
file - Verify that the MR does require approval
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #379110 (closed)
Edited by Dominic Bauer