Skip to content

Prevent policy bot message on non-applicable branches

Martin Čavoj requested to merge mc/fix-bot-comment-for-non-applicable-branches into master

What does this MR do and why?

This MR removes policy bot message when there are no scan_finding or license_scanning rules applicable to the current branch.

Merge request approval policies are applied only to protected branches and if there's MR targeting a non-protected branch, we don't want the policy bot comment to be created, because the approvals will be filtered here and displayed as Optional.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Create a new project
  2. Create CI configuration 
    include:
  - template: Security/Secret-Detection.gitlab-ci.yml
  - template: Jobs/Dependency-Scanning.gitlab-ci.yml

build-job:
  script:
    - echo "Compiling the code..."
    - echo "Compile complete."
  3. Go to Secure -> Policies and create a new policy. Example: 
    type: approval_policy
name: Sec & Lic
description: ''
enabled: true
rules:
  - type: scan_finding
    scanners: []
    vulnerabilities_allowed: 0
    severity_levels: []
    vulnerability_states: []
    branch_type: protected
  - type: license_finding
    match_on_inclusion: true
    license_types:
      - MIT License
    license_states:
      - newly_detected
    branch_type: protected
actions:
  - type: require_approval
    approvals_required: 1
    role_approvers:
      - developer
  4. Go to Code -> Branches and create a new unprotected branch from the main branch
  5. Create MR which adds violation and choose unprotected as the target branch. Example: 
    diff --git a/.env b/.env
new file mode 100644
index 0000000000000000000000000000000000000000..ee4bf74ac3b632173dafc09e74ecd68c298bdfa1
--- /dev/null
+++ b/.env
@@ -0,0 +1 @@
+AWS_TOKEN=AKIAZYONPI3G4JNCCWGQ
\ No newline at end of file
diff --git a/requirements.txt b/requirements.txt
new file mode 100644
index 0000000000000000000000000000000000000000..e5041aff4030dc9f8a00823551126c3ad4c315fe
--- /dev/null
+++ b/requirements.txt
@@ -0,0 +1 @@
+pluggy==1.3.0
\ No newline at end of file
  6. Verify that no bot comment is created
  7. Change the target branch to main
  8. Verify that bot comment is created
  9. Change the target branch again to unprotected
  10. Verify that bot comment gets updated to "violations resolved"

Merge request reports