Enforce approval rules based on attributes
What does this MR do and why?
This enforces security policy approval rules based on vulnerability attributes. The attributes configuration was introduced with !123640 (merged). Possible attributes are false_positive
and fix_available
.
Example: Require approval only if vulnerability findings are not false positives and there is a fix_available
Database
This MR adds new scopes to ee/app/models/security/finding.rb
. I ran an example query that uses the new scopes. Here is the result:
https://console.postgres.ai/gitlab/gitlab-production-tunnel-pg12/sessions/20224/commands/66232
Time: 4.330 ms
- planning: 3.883 ms
- execution: 0.447 ms
- I/O read: 0.000 ms
- I/O write: 0.000 ms
Shared buffers:
- hits: 24 (~192.00 KiB) from the buffer pool
- reads: 0 from the OS file cache, including disk I/O
- dirtied: 0
- writes: 0
How to set up and validate locally
- Switch to the
399117-enforce-security-policy-vulnerability_attributes-rules
branch. - Create a new policy
- Create a project
- Add a
.gitlab-ci.yml
with secret detection (See.gitlab-ci.yml
with secret detection example). - On the left sidebar, select Security & Compliance and Policies.
- Select New Policy.
- Select Scan result policy.
- For Name choose any name.
- For Rules choose "when Security Scan Secret Detection runs against the All protected branches and find(s). Any vulnerabilities that match all of the following criteria:".
- Select Add new criteria and New severity
- Choose Select all
- In Actions Select "Require 1 approval from:".
- Select any user that is not you.
- Switch to
.yaml
mode. - Add attributes below
vulnerability_states: []
.
vulnerability_attributes: false_positive: false fix_available: false
- Alternatively to steps 5 to 13, you can switch to
.yaml
mode and copy the Policy example below. And replace theuser_approvers_ids
with a valid user ID that has access to the project. - Select Configure with a merge request.
- Merge the MR.
- Produce an MR with a vulnerability finding.
- If you haven't already, set up a runner with docker.
- Go to the project page and select the Web IDE button.
- Create a new file called
.env
. - Add the following line to the file
AWS_TOKEN='AKIAZYONPI3G4JNCCWGA'
. - Commit the changes to a new branch and start an MR.
- The pipelines security tab should show one finding.
- Verify the feature
- The MR should require an approval after the pipeline finishes.
- Go back to edit the policy and change
false_positive
totrue
. - The MR should not require an approval anymore.
- Go back to edit the policy and change
false_positive
tofalse
again. - The MR should require an approval.
- Go back to edit the policy and change
fix_available
totrue
. - The MR should not require an approval anymore.
`.gitlab-ci.yml` with secret detection
# .gitlab-ci.yml
include:
- template: Jobs/Secret-Detection.gitlab-ci.yml
test-job:
script:
- echo "Test Job..."
Policy example
type: scan_result_policy
name: sdfsdf
description: ''
enabled: true
rules:
- type: scan_finding
branches: []
scanners:
- secret_detection
vulnerabilities_allowed: 0
severity_levels:
- critical
- high
- medium
- low
- unknown
- info
vulnerability_states: []
vulnerability_attributes:
false_positive: false
fix_available: false
actions:
- type: require_approval
approvals_required: 1
user_approvers_ids:
- 82
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #399117 (closed)
Edited by Martin Čavoj