Skip to content

Support approval_policy as policy type

Martin Čavoj requested to merge 413783-be-allow-for-both-scan_result_policy-and-approval_policy-policy-types into master

What does this MR do and why?

This MR adds support for approval_policy as a policy type. This is equivalent to setting scan_result_policy type. scan_result_policy type is planned to be removed in %17.0 and replaced by approval_policy.

We cannot automatically migrate the existing policies, so we have to still support scan_result_policy for existing policies. The new policies should be stored using approval_policy type.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

CleanShot_2024-01-23_at_16.44.07

How to set up and validate locally

  1. Visit Secure -> Policies, create a new Scan Result policy
  2. Use the following YAML. Notice type: approval_policy:
type: approval_policy
name: Test approval_policy
description: ''
enabled: true
rules:
  - type: any_merge_request
    branch_type: protected
    commits: any
  - type: scan_finding
    scanners: []
    vulnerabilities_allowed: 0
    severity_levels: []
    vulnerability_states: []
    branch_type: protected
actions:
  - type: require_approval
    approvals_required: 1
    role_approvers:
      - developer
approval_settings:
  block_branch_modification: true
  prevent_pushing_and_force_pushing: true
  prevent_approval_by_author: true
  prevent_approval_by_commit_author: true
  remove_approvals_with_new_commit: true
  require_password_to_approve: false
  1. Configure with merge request and merge
  2. Go back to the policies list and verify that the new policy is visible
  3. Edit the policy and check it is loaded
  4. Update the description and click Configure with merge request
  5. Verify that the only change is in the description attribute and merge
  6. Go back to the policies list and verify that the new description has been persisted
  7. Update README in MR and verify that approvals for this policy are required
  8. Go to the security policy project, inspect .gitlab/security-policies/policy.yml file and verify that the policy has been created with approval_policy type

Related to #413783 (closed)

Edited by Martin Čavoj

Merge request reports