Skip to content

Unblock rules if scanners are defined by pipeline execution policies

Martin Cavojrequested to merge
498624-account-for-configured-pipeline-execution-policies-when-scan-is-missing-in-merge-request-5 into master

What does this MR do and why?

Unblock approval merge request rule for which there are all scanners enforced by pipeline execution policies.

References

Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After
CleanShot_2025-02-04_at_17.09.51_2x CleanShot_2025-02-04_at_17.08.41_2x

How to set up and validate locally

  1. Enable feature flags pipeline_execution_policy_analyze_configs and unblock_rules_using_pipeline_execution_policies
  2. Apply changes from !179502 (merged) until it's merged 
    curl https://gitlab.com/gitlab-org/gitlab/-/merge_requests/179502.diff | git apply
  3. Create a project SPP
  4. In the project, create policy-ci.yml: 
    include:
  - template: Jobs/Dependency-Scanning.gitlab-ci.yml

policy-test-job:
  stage: test
  script:
    - echo 'Policy test job 1'
  5. Create another project
  6. In this project, go to Secure -> Policies and link the project SPP from step 2. as a policy project
  7. Create a new pipeline execution policy: 
    pipeline_execution_policy:
  - name: Enforced scans
    description: ''
    enabled: true
    pipeline_config_strategy: inject_ci
    content:
      include:
        - project: <path-to-spp-project>
          file: policy-ci.yml
  8. Save the policy
  9. Create a merge request approval policy, requiring approvals for new dependency_scanning vulnerabilities with an option to unblock rules using execution policies: 
    approval_policy:
  - name: Dependency scan approvals
    description: ''
    enabled: true
    rules:
      - type: scan_finding
        scanners:
          - dependency_scanning
        vulnerabilities_allowed: 0
        severity_levels: []
        vulnerability_states: []
        branch_type: protected
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers:
          - developer
      - type: send_bot_message
        enabled: true
    approval_settings:
      block_branch_modification: false
      prevent_pushing_and_force_pushing: false
      prevent_approval_by_author: false
      prevent_approval_by_commit_author: false
      remove_approvals_with_new_commit: false
      require_password_to_approve: false
    fallback_behavior:
      fail: closed
    policy_tuning:
      unblock_rules_using_execution_policies: true
  10. In the project, create a MR (update README.md)
  11. Verify that no approvals are required, although the dependency_scanning job didn't run
  12. Disable the pipeline execution policy
  13. Verify that an approval is required due to missing scanner configuration

Related to #498624 (closed)

Edited by Martin Cavoj

Merge request reports