Skip to content

Persist violations for any_merge_request rules

Martin Čavoj requested to merge 433399-persist-any_merge_request-violation-data into master

What does this MR do and why?

With this MR, we start persisting violation details for any_merge_request policies. There are two configuration options for these policies:

  • Apply for any commits
  • Apply for unsigned commits

In case of any commits, we persist the violation details as:

{"violations" => {"any_merge_request" => {"commits" => true}}}

In case of unsigned commits, we persist a list of unsigned commits that caused the policy to be violated (limited to 20):

{"violations" => {"any_merge_request" => {"commits" => ["78dabb7a"]}}}

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. In rails console enable the feature flag 
    Feature.enable(:save_policy_violation_data)
  2. Create a new project
  3. Go to Secure -> Policies and create a new policy: 
    type: approval_policy
name: Any MR
description: ''
enabled: true
rules:
  - type: any_merge_request
    branch_type: protected
    commits: unsigned
actions:
  - type: require_approval
    approvals_required: 1
    role_approvers:
      - developer
approval_settings:
  block_branch_modification: true
  prevent_pushing_and_force_pushing: true
  prevent_approval_by_author: true
  prevent_approval_by_commit_author: true
  remove_approvals_with_new_commit: true
  require_password_to_approve: true
  4. Create MR that updates README
  5. Verify that approvals for Any MR are required
  6. In rails console, check that violations_data have been persisted and the commit's short SHA is present: 
    MergeRequest.last.scan_result_policy_violations
  7. Update the policy and switch from unsigned commits to any
  8. Verify that violation data is updated and there is "commits" => true. Example: 
      MergeRequest.last.scan_result_policy_violations.last
  => #<Security::ScanResultPolicyViolation:0x00000002c2631540
    id: 354998,
    scan_result_policy_id: 204628,
    merge_request_id: 2075,
    project_id: 2298,
    created_at: Wed, 28 Feb 2024 09:57:14.895024000 UTC +00:00,
    updated_at: Wed, 28 Feb 2024 09:57:15.796237000 UTC +00:00,
    violation_data: {"violations"=>{"any_merge_request"=>{"commits"=>true}}}>

Related to #433399 (closed)

Edited by Martin Čavoj

Merge request reports