Skip to content

Add security bot comment for policy violations in MRs

Martin Čavoj requested to merge 411656-spike-investigate-and-prepare-poc-for-approval-notification-mvc into master

What does this MR do and why?

This MR adds security bot comments for policy violations in MRs.

This change introduces an automatic comments on the MRs where security policy violations are detected. It adds guidance for the user on what to do next with regards to the needed approvals.

The comments are created by security bot. We may switch to a dedicated security policy bot from #394958 (closed), but for the moment, we plan to test this feature with the security bot.

This feature is added behind a feature flag.

Screenshots or screen recordings

With violations:

CleanShot_2023-06-06_at_19.01.36_2x

Resolved violations:

CleanShot_2023-06-06_at_19.05.47_2x

Recording:

lightweight_bot_comment

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Enable the feature flags in the rails console:

    Feature.enable(:security_policy_approval_notification)

  2. Add secret detection template into .gitlab-ci.yml:

    include:
  - template: Jobs/Secret-Detection.gitlab-ci.yml
test-job:
  script:
  - echo "Test Job..."

  3. Create a new project with a security policy. Example:

    type: scan_result_policy
name: Secrets
description: ''
enabled: true
rules:
  - type: scan_finding
    branches: []
    scanners:
      - secret_detection
    vulnerabilities_allowed: 0
    severity_levels:
      - critical
      - high
      - medium
      - low
      - unknown
      - info
    vulnerability_states:
      - new_needs_triage
      - new_dismissed
actions:
  - type: require_approval
    approvals_required: 1
    user_approvers_ids:
      - 4

  4. Introduce a policy violation in an MR - for example, add a secret which would trigger secret detection scanner from a policy.

  5. After the CI has finished, observe an automatic comment being added.

  6. Add a new commit which doesn't fix the violation yet. There shouldn't be any new automatic comment.

  7. Add a new commit, fixing the violation.

  8. The comment should get updated and say that violations have been fixed.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #411656 (closed)

Edited by Martin Čavoj

Merge request reports