Skip to content

Add worker to sync approval rules with preexisting state

Sashi Kumar Kumaresan requested to merge sk/425482-add-worker into master

What does this MR do and why?

This MR fixes a bug with scan result policy for pre_existing vulnerability states(confirmed, detected, dismissed, resolved) where the approvals are checked only after the pipeline is complete. We don't need to wait for the pipeline to complete to enforce approval for pre-existing vulnerability states. The fix is to introduce a new worker that checks approvals even before the pipeline is complete and whenever the MR is updated. This is introduced behind a feature flag to reduce the risk of introducing a breaking change.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  • Create a project with .gitlab-ci.yml with a security scan that introduces some vulnerabilities
include:
  - template: Security/Container-Scanning.gitlab-ci.yml

container_scanning:
  variables:
    CS_IMAGE: 'citizenstig/dvwa:latest'
  • Create scan result policy to require approval on pre-existing vulnerability states
type: scan_result_policy
name: Pre-Existing Vulnerabilities
description: ''
enabled: true
rules:
  - type: scan_finding
    scanners: []
    vulnerabilities_allowed: 0
    severity_levels: []
    vulnerability_states:
      - confirmed
      - dismissed
      - resolved
      - detected
    branch_type: protected
actions:
  - type: require_approval
    approvals_required: 1
    group_approvers_ids:
      - 22
approval_settings:
  prevent_pushing_and_force_pushing: false
  • Create a MR that updates the README and notice that the approval is enforced (along with bot comment) before the pipeline is complete

MR with approvals enforced before pipeline is complete

Screenshot_2024-01-18_at_10.09.21_PM

  • Create a MR that skips the CI by adding [ci skip] to the commit message and notice that the MR requires approvals for pre-existing vulnerabilities

MR with CI Skipped or no pipeline

Screenshot_2024-01-18_at_10.17.01_PM

  • Create a new project or update the policy to require approval on pre-existing vulnerability states but with different filter (maybe severity or scanner) so that the project's vulnerabilities does not violate the rule and create a MR to update the readme and notice that the approvals are not enforced

MR with no violations

Screenshot_2024-01-18_at_10.13.06_PM

Addresses #425482 (closed)

Edited by Sashi Kumar Kumaresan

Merge request reports