Skip to content

Scan result policy approval setting overrides

Dominic Bauer requested to merge 418752-be-support-project-approval-settings-in-security-policies-3 into master

What does this MR do and why?

Last MR for #418752 (closed), where we are adding support for the approval_settings scan result policy setting.

approval_settings contains attributes that override a project's merge request approval setting, on policy violation.

How to set up and validate locally

Validating prevent_approval_by_author

  • Create a new project and toggle the feature flag:

    Feature.enable(:scan_result_any_merge_request, Project.find(ID))

  • Navigate to Settings > Merge requests, and under the Approval settings section:

    • disable the Prevent approval by author option
    • select the Keep approvals checkbox
    • save changes

  • Navigate to Secure > Policies and create the following scan result policy:

    type: scan_result_policy
name: Container Scanning
enabled: true
rules:
  - type: scan_finding
    scanners:
      - container_scanning
    vulnerabilities_allowed: 0
    severity_levels: []
    vulnerability_states: []
    branch_type: protected
actions:
  - type: require_approval
    approvals_required: 1
    user_approvers:
      - root
      - <other user>
approval_settings:
  prevent_approval_by_author: true
  prevent_approval_by_commit_author: false
  remove_approvals_with_new_commit: false
  require_password_to_approve: true

    • Commit the following .gitlab-ci.yml to the default branch:

      include:
  - template: Security/Container-Scanning.gitlab-ci.yml

container_scanning:
  variables:
    CS_IMAGE: "nginx"

  • Update gitlab-ci.yml and create an MR:

    -CS_IMAGE: "nginx"
+CS_IMAGE: "nginx:1"

  • Verify you cannot approve the MR. Edit the policy and set enabled: false. Verify you can approve the MR.

Action-less policies

  • Remove the approval_settings from the existing policy:

    type: scan_result_policy
name: Container Scanning
enabled: true
rules:
  - type: scan_finding
    scanners:
      - container_scanning
    vulnerabilities_allowed: 0
    severity_levels: []
    vulnerability_states: []
    branch_type: protected
actions:
  - type: require_approval
    approvals_required: 1
    user_approvers:
      - root
      - <other user>

  • Verify that you can approve the MR.

  • Create the following action-less scan result policy:

    type: scan_result_policy
name: Enforced Approval Settings
enabled: true
rules:
  - type: any_merge_request
    branch_type: protected
    commits: unsigned
approval_settings:
  prevent_approval_by_author: true
  prevent_approval_by_commit_author: true
  remove_approvals_with_new_commit: true
  require_password_to_approve: true

  • Verify that you can no longer approve the MR.

Validating prevent_approval_by_commit_author

  • Add another user with Developer+ role to the project/policy and impersonate them
  • Open a MR
  • Add another commit by another user to the MR
  • Verify the rule has been auto-approved (if the project only has 2 members), or that neither of both users can approve the MR (if the project has > 2 members).

Validating remove_approvals_with_new_commit

  • Open a MR
  • Add another user with Developer+ role to the project/policy and impersonate them
  • Approve the MR
  • Push another commit
  • Verify approvals have reset

Validating require_password_to_approve

  • Attempt to approve any MR with the policy in place

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #418752 (closed)

Edited by Dominic Bauer

Merge request reports