Add security bot comment for policy violations in MRs
Merged
requested to merge 411656-spike-investigate-and-prepare-poc-for-approval-notification-mvc into master
Compare changes
This MR adds security bot comments for policy violations in MRs.
This change introduces an automatic comments on the MRs where security policy violations are detected. It adds guidance for the user on what to do next with regards to the needed approvals.
The comments are created by security bot. We may switch to a dedicated security policy bot from #394958 (closed), but for the moment, we plan to test this feature with the security bot.
This feature is added behind a feature flag.
Numbered steps to set up and validate the change are strongly suggested.
Enable the feature flags in the rails console:
Feature.enable(:security_policy_approval_notification)
Add secret detection template into .gitlab-ci.yml
:
include:
- template: Jobs/Secret-Detection.gitlab-ci.yml
test-job:
script:
- echo "Test Job..."
Create a new project with a security policy. Example:
type: scan_result_policy
name: Secrets
description: ''
enabled: true
rules:
- type: scan_finding
branches: []
scanners:
- secret_detection
vulnerabilities_allowed: 0
severity_levels:
- critical
- high
- medium
- low
- unknown
- info
vulnerability_states:
- new_needs_triage
- new_dismissed
actions:
- type: require_approval
approvals_required: 1
user_approvers_ids:
- 4
Introduce a policy violation in an MR - for example, add a secret which would trigger secret detection scanner from a policy.
After the CI has finished, observe an automatic comment being added.
Add a new commit which doesn't fix the violation yet. There shouldn't be any new automatic comment.
Add a new commit, fixing the violation.
The comment should get updated and say that violations have been fixed.
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #411656 (closed)