Persist violations for any_merge_request rules
What does this MR do and why?
With this MR, we start persisting violation details for any_merge_request
policies. There are two configuration options for these policies:
- Apply for
any
commits - Apply for
unsigned
commits
In case of any
commits, we persist the violation details as:
{"violations" => {"any_merge_request" => {"commits" => true}}}
In case of unsigned
commits, we persist a list of unsigned commits that caused the policy to be violated (limited to 20):
{"violations" => {"any_merge_request" => {"commits" => ["78dabb7a"]}}}
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
- In rails console enable the feature flag
Feature.enable(:save_policy_violation_data)
- Create a new project
- Go to Secure -> Policies and create a new policy:
type: approval_policy name: Any MR description: '' enabled: true rules: - type: any_merge_request branch_type: protected commits: unsigned actions: - type: require_approval approvals_required: 1 role_approvers: - developer approval_settings: block_branch_modification: true prevent_pushing_and_force_pushing: true prevent_approval_by_author: true prevent_approval_by_commit_author: true remove_approvals_with_new_commit: true require_password_to_approve: true
- Create MR that updates README
- Verify that approvals for
Any MR
are required - In rails console, check that
violations_data
have been persisted and the commit's short SHA is present:MergeRequest.last.scan_result_policy_violations
- Update the policy and switch from
unsigned
commits toany
- Verify that violation data is updated and there is
"commits" => true
. Example:MergeRequest.last.scan_result_policy_violations.last => #<Security::ScanResultPolicyViolation:0x00000002c2631540 id: 354998, scan_result_policy_id: 204628, merge_request_id: 2075, project_id: 2298, created_at: Wed, 28 Feb 2024 09:57:14.895024000 UTC +00:00, updated_at: Wed, 28 Feb 2024 09:57:15.796237000 UTC +00:00, violation_data: {"violations"=>{"any_merge_request"=>{"commits"=>true}}}>
Related to #433399 (closed)
Edited by Martin Čavoj