Support approval_policy as policy type
requested to merge 413783-be-allow-for-both-scan_result_policy-and-approval_policy-policy-types into master
What does this MR do and why?
This MR adds support for approval_policy
as a policy type. This is equivalent to setting scan_result_policy
type.
scan_result_policy
type is planned to be removed in %17.0 and replaced by approval_policy
.
We cannot automatically migrate the existing policies, so we have to still support scan_result_policy
for existing policies. The new policies should be stored using approval_policy
type.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
CleanShot_2024-01-23_at_16.44.07
How to set up and validate locally
- Visit Secure -> Policies, create a new Scan Result policy
- Use the following YAML. Notice
type: approval_policy
:
type: approval_policy
name: Test approval_policy
description: ''
enabled: true
rules:
- type: any_merge_request
branch_type: protected
commits: any
- type: scan_finding
scanners: []
vulnerabilities_allowed: 0
severity_levels: []
vulnerability_states: []
branch_type: protected
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- developer
approval_settings:
block_branch_modification: true
prevent_pushing_and_force_pushing: true
prevent_approval_by_author: true
prevent_approval_by_commit_author: true
remove_approvals_with_new_commit: true
require_password_to_approve: false
- Configure with merge request and merge
- Go back to the policies list and verify that the new policy is visible
- Edit the policy and check it is loaded
- Update the description and click Configure with merge request
- Verify that the only change is in the
description
attribute and merge - Go back to the policies list and verify that the new description has been persisted
- Update README in MR and verify that approvals for this policy are required
- Go to the security policy project, inspect
.gitlab/security-policies/policy.yml
file and verify that the policy has been created withapproval_policy
type
Related to #413783 (closed)
Edited by Martin Čavoj