Add approval notification for unenforceable policy rules
What does this MR do and why?
With this change, a policy bot comment will be created for policy rules that could not be enforced due to missing scanners in the pipeline, or missing pipeline setup altogether.
flowchart TD
A[MR is created] -->WithPipelines
A[MR is created] -->WithoutPipelines
subgraph WithPipelines[Pipelines are set up]
A2[Pipeline finished] --> B{Has all security artifacts?}
A3[Change target branch] -->|Applicable rules may change
and become unenforceable| H
B -->|Yes| G[Bot comment handled by
SyncFindingsToApprovalRulesService and
SyncLicenseScanningRulesService]
B -->|No| H[Enqueue worker]
end
subgraph WithoutPipelines[No pipelines]
C0[MR] --> C1
C0 --> C2
C1[After create] -->|Applicable report_approver
rules are unenforceable| D[Enqueue worker]
C2[Change target branch] -->|Applicable rules may change
and become unenforceable| D
end
subgraph Worker[UnenforceablePolicyRulesNotificationService]
W0[Execute] -->|scan_finding rules| W1[No pipeline or no corresponding artifact?]
W0 -->|license_scanning rules| W1
W1 --> Wend[Create/Update bot comment based on violations
for the applicable rules]
end
H -->|Notify for reports with artifacts| Worker
D -->|Notify for any report_approver rules| WorkerScreenshots or screen recordings
| With pipelines; at first targeting a protected branch | CleanShot_2023-11-13_at_13.15.44 |
| With pipelines; at first targeting a non-protected branch | CleanShot_2023-11-13_at_13.16.45 |
| Without pipelines; update of comment when policy gets disabled | CleanShot_2023-11-13_at_13.17.52_2_trimmed |
Database
There is a new scope for_approval_rules.
SELECT 1 AS one FROM "scan_result_policy_violations" WHERE "scan_result_policy_violations"."merge_request_id" = 263349793 AND "scan_result_policy_violations"."scan_result_policy_id" IN (945, 946);Plan: https://console.postgres.ai/gitlab/gitlab-production-tunnel-pg12/sessions/23784/commands/76285
Note: I was not able to find a specific scan_result_policy_id for which any rows would be returned.
Other queries related to this MR:
SELECT 1 AS one FROM "approval_merge_request_rules" WHERE "approval_merge_request_rules"."merge_request_id" = 260637620 AND "approval_merge_request_rules"."scan_result_policy_id" IS NOT NULL LIMIT 1;Plan: https://console.postgres.ai/gitlab/gitlab-production-tunnel-pg12/sessions/23784/commands/76297
SELECT 1 AS one FROM "approval_project_rules" WHERE "approval_project_rules"."project_id" = 50532553 AND "approval_project_rules"."scan_result_policy_id" IS NOT NULL LIMIT 1Plan: https://console.postgres.ai/gitlab/gitlab-production-tunnel-pg12/sessions/23784/commands/76303
How to set up and validate locally
- In rails console enable the feature flag
Feature.enable(:security_policies_unenforceable_rules_notification) - Go to Secure -> Policies and create a new scan result policy. Sample YAML:
type: scan_result_policy name: Sec & Lic description: '' enabled: true rules: - type: scan_finding scanners: [] vulnerabilities_allowed: 0 severity_levels: [] vulnerability_states: [] branch_type: protected - type: license_finding match_on_inclusion: true license_types: - BSD 3-Clause "New" or "Revised" License license_states: - newly_detected branch_type: protected actions: - type: require_approval approvals_required: 1 role_approvers: - developer approval_settings: block_unprotecting_branches: true prevent_pushing_and_force_pushing: true
With no pipelines
- In a project where there is no
.gitlab-ci.yml, create any MR (e.g. update README) - Observe required approvals for
Sec & Lic - Observe a policy bot comment being created
- Change the target branch to a non-protected one (you can go to Code -> Branches and create a new branch from
main) - The policy bot comment should be updated to say the violations have been resolved
- Create a new MR targeting a non-protected branch from the beginning -> there should be no policy bot comment. Change the target branch to
mainand the bot comment should appear.
With missing scanners
- Create a
.gitlab-ci.ymlfile and don't include dependency scanning. Sample YAML:include: - template: Jobs/Secret-Detection.gitlab-ci.yml # - template: Jobs/Dependency-Scanning.gitlab-ci.yml build-job: script: - echo "Compiling the code..." - echo "Compile complete." - Create MR a policy bot comment being created and approvals should be still required after pipeline finishes
- Update
.gitlab-ci.ymlagain and include also the commented-out dependency scanning template. Add emptyrequirements.txtfile in the repo. - Create another MR. There should be no policy bot comment and no required approvals after pipeline finishes.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #417598 (closed)
Merge request reports
Activity
changed milestone to %16.5
assigned to @mcavoj
mentioned in issue #417598 (closed)
Allure report
allure-report-publishergenerated test report!e2e-test-on-gdk:
expand test summary
+-----------------------------------------------------------------------+ | suites summary | +------------------+--------+--------+---------+-------+-------+--------+ | | passed | failed | skipped | flaky | total | result | +------------------+--------+--------+---------+-------+-------+--------+ | Plan | 55 | 0 | 0 | 0 | 55 | ✅ | | Verify | 31 | 0 | 0 | 0 | 31 | ✅ | | Create | 48 | 0 | 9 | 0 | 57 | ✅ | | Govern | 57 | 0 | 0 | 0 | 57 | ✅ | | Framework sanity | 0 | 0 | 1 | 0 | 1 | ➖ | | Data Stores | 23 | 0 | 0 | 0 | 23 | ✅ | | Monitor | 8 | 0 | 0 | 0 | 8 | ✅ | | Manage | 0 | 0 | 1 | 0 | 1 | ➖ | | Package | 0 | 0 | 1 | 0 | 1 | ➖ | +------------------+--------+--------+---------+-------+-------+--------+ | Total | 222 | 0 | 12 | 0 | 234 | ✅ | +------------------+--------+--------+---------+-------+-------+--------+e2e-package-and-test:
expand test summary
+-------------------------------------------------------------+ | suites summary | +--------+--------+--------+---------+-------+-------+--------+ | | passed | failed | skipped | flaky | total | result | +--------+--------+--------+---------+-------+-------+--------+ | Govern | 176 | 0 | 14 | 2 | 190 | ❗ | +--------+--------+--------+---------+-------+-------+--------+ | Total | 176 | 0 | 14 | 2 | 190 | ❗ | +--------+--------+--------+---------+-------+-------+--------+Edited by Ghost Useradded 1 commit
- ffae7d8d - Add approval notification for unenforceable scan_finding rules
- A deleted user
added feature flag label
added 1 commit
- 198bf9bd - Add approval notification for unenforceable scan_finding rules
added 1 commit
- a8fb8bfb - Add approval notification for unenforceable scan_finding rules
mentioned in commit gitlab-org-sandbox/gitlab-jh-validation@39c4fc29
changed milestone to %16.6
added missed-deliverable missed:16.5 labels
added 4947 commits
-
a8fb8bfb...b4defed1 - 4946 commits from branch
master - 9d7f60ed - Add approval notification for unenforceable policy rules
-
a8fb8bfb...b4defed1 - 4946 commits from branch
- A deleted user
added databasereview pending label
4 Warnings 
This merge request is quite big (706 lines changed), please consider splitting it into multiple merge requests. 14a375e3: Commits that change 30 or more lines across at least 3 files should describe these changes in the commit body. For more information, take a look at our Commit message guidelines. f13282f5: Commits that change 30 or more lines across at least 3 files should describe these changes in the commit body. For more information, take a look at our Commit message guidelines. featureaddition and featureenhancement merge requests normally have a documentation change. Consider adding a documentation update or confirming the documentation plan with the Technical Writer counterpart.
For more information, see:
- The Handbook page on merge request types.
- The definition of done documentation.
1 Message 
CHANGELOG missing: If this merge request needs a changelog entry, add the
Changelogtrailer to the commit message you want to add to the changelog.If this merge request doesn't need a CHANGELOG entry, feel free to ignore this message.
Reviewer roulette
Changes that require review have been detected!
Please refer to the table below for assigning reviewers and maintainers suggested by Danger in the specified category:
Category Reviewer Maintainer backend @hustewart
(UTC-5, 6 hours behind author)
@kerrizor (UTC-8, 9 hours behind author)
database @jarka (UTC+1, same timezone as author)
@ahegyi (UTC+1, same timezone as author)
~"Verify" Reviewer review is optional for ~"Verify" @pedropombeiro (UTC+1, same timezone as author)
Please check reviewer's status!
-
Reviewer is available!
-
Reviewer is unavailable!
Feel free to override these selections if you think someone else would be better-suited or use the GitLab Review Workload Dashboard to find other available reviewers.
To read more on how to use the reviewer roulette, please take a look at the Engineering workflow and code review guidelines. Please consider assigning a reviewer or maintainer who is a domain expert in the area of the merge request.
Once you've decided who will review this merge request, assign them as a reviewer! Danger does not automatically notify them for you.
Sidekiq queue changes
This merge request contains changes to Sidekiq queues. Please follow the documentation on changing a queue's urgency.
These queues were added:
security_unenforceable_policy_rules_notificationsecurity_unenforceable_policy_rules_pipeline_notification
If needed, you can retry the
danger-reviewjob that generated this comment.Generated by
Edited by Ghost Usermentioned in commit gitlab-org-sandbox/gitlab-jh-validation@1db130f0
