Skip to content

Lower `approvals_required` for conforming `any_merge_request` rules

Dominic Bauer requested to merge 418752-be-support-project-approval-settings-in-security-policies-2 into master

What does this MR do and why?

We are introducing the any_merge_request scan result policies rule type (&9696 (closed)).

This MR lowers the approvals_required for merge request approval rules that do not violate the commits property. The commits property allows to enforce approval depending on the commits of a source branch: commits: unsigned enforces approval only in the presence of unsigned commits, while commits: any always enforces approval.

How to set up and validate locally

  • Create a new project

  • Enable the feature flag for the project:

    Feature.enable(:scan_result_any_merge_request, Project.find(ID))

  • Navigate to Secure > Policies and create the following scan result policy:

    type: scan_result_policy
name: Unsigned commits targeting protected branches
enabled: true
rules:
  - type: any_merge_request
    branch_type: protected
    commits: unsigned
actions:
  - type: require_approval
    approvals_required: 1
    user_approvers:
      - root
      - another.user # Replace me

  • Clone the repo locally, check out the signed-commits branch, and create a signed commit:

  • Generate a GPG keypair (assuming GDK):

    gpg --quick-generate-key "root <admin@example.com>" rsa2048 encr,sign 1y
    • Identify the key rsa204/<key_id>:
    % gpg --list-secret-keys --keyid-format LONG | grep -B 2 -i "admin@example.com"
sec   rsa2048/49449597FFA454E5 2023-09-05 [SCEA] [expires: 2024-09-04]
      FDC47E5E81C2EB02F97693B649449597FFA454E5
uid                 [ultimate] root <admin@example.com>
    git -c "user.name=admin@example.com" -c "user.signingkey=49449597FFA454E5" ct -S -m "Signed commit"
    • Verify the commit is signed with git show --show-signature

  • Check out the unsigned-commits branch, and create an unsigned commit

  • Push both branches, open MRs targeting main and verify only the MR with the unsigned commit requires approval.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #418752 (closed)

Edited by Dominic Bauer

Merge request reports