Use (merge) base pipelines as scan result policy comparison pipelines
What does this MR do and why?
Scan result policies compare pipelines to detect security vulnerability policy violations. This changes the comparison logic so that it picks comparison pipelines in line with the merge request widget (see #427863).
Database
SELECT
"merge_requests".*
FROM
"merge_requests"
WHERE
"merge_requests"."target_project_id" = 13083
AND ("merge_requests"."state_id" IN (1))
AND "merge_requests"."target_branch" = 'master';https://console.postgres.ai/gitlab/gitlab-production-tunnel-pg12/sessions/25031/commands/79511
How to set up and validate locally
-
Create a new project and enable the feature flag:
Feature.enable(:scan_result_policy_merge_base_pipeline, Project.last) -
Commit the following
.gitlab-ci.yml:include: - template: Security/Dependency-Scanning.gitlab-ci.yml -
Commit the following
Gemfile.lock:GEM specs: rack (3.0.4.1) PLATFORMS arm64-darwin-22 DEPENDENCIES rack BUNDLED WITH 2.4.21 -
Navigate to
Secure > Policiesand create the following scan result policy:type: scan_result_policy name: Deny detected vulnerabilities enabled: true rules: - type: scan_finding scanners: [] vulnerabilities_allowed: 0 severity_levels: [] vulnerability_states: [detected] branch_type: protected actions: - type: require_approval approvals_required: 1 user_approvers_ids: - 1 -
Navigate to
Secure > Policiesand create the following scan execution policy:type: scan_execution_policy name: Secret Detection description: '' enabled: true rules: - type: schedule cadence: 0 0 * * * branch_type: all actions: - scan: secret_detection -
Execute the schedule:
project = Project.find(ID) schedule = Security::OrchestrationPolicyRuleSchedule.last Security::ScanExecutionPolicies::RuleScheduleWorker.new.perform(project.id, project.owner.id, schedule.id) -
Open an MR targeting the default branch which adds a new file. Verify the MR requires approval.
For merged result pipelines, see the steps in Validate merged result pipelines
Related to #428518 (closed)