Skip to content

Collect audit events for security policy violations in merge requests

Imam Hossainrequested to merge
539231-implement-audit-events-related-to-security-policy-violations-in-merge-requests into master

What does this MR do and why?

When security policy violations are detected in merge requests, an audit event is recorded. The audit event is streamed only, as this will generate a high volume of events.

References

Related to #549811 (closed)

How to set up and validate locally

  1. Enable the feature flag in Rails console:

    Feature.enable(:collect_security_policy_violations_detected_audit_events)

  2. Switch to admin mode and set up the audit event streaming

  1. Set up a project with security policies:
    • Create a project with security orchestration policy configuration
    • Configure scan result policies (e.g., dependency scanning, SAST)
  2. Create a merge request that violates policies:
    • Push code that triggers security violations
    • Wait for policy evaluation to complete
  3. Verify an audit event is sent to the streaming destination.

Example setup: https://gitlab.com/gitlab-org/security-risk-management/security-policies/team-member-environment/imam-test-group/policy-violations-test/-/merge_requests/1

Example

image

{
  "id": 562,
  "author_id": 1,
  "entity_id": 20,
  "entity_type": "Project",
  "details": {
    "merge_request_title": "Edit test.rb",
    "merge_request_id": 254,
    "merge_request_iid": 49,
    "source_branch": "root-main-patch-70884",
    "target_branch": "main",
    "project_id": 20,
    "project_name": "Project Two",
    "project_full_path": "gitlab-org/project-2",
    "violated_policies": [
      {
        "policy_name": "Any MR rule",
        "policy_type": "approval_policy"
      }
    ],
    "violation_details": {
      "fail_open_policies": [],
      "fail_closed_policies": [
        "Any MR rule"
      ],
      "new_scan_finding_violations": [],
      "previous_scan_finding_violations": [],
      "license_scanning_violations": [],
      "any_merge_request_violations": [
        {
          "name": "Any MR rule",
          "commits": true
        }
      ],
      "errors": [],
      "comparison_pipelines": []
    },
    "security_policy_management_project_id": 20,
    "event_name": "policy_violations_detected",
    "author_name": "Administrator",
    "author_class": "User",
    "target_id": 254,
    "target_type": "MergeRequest",
    "target_details": "Edit test.rb",
    "custom_message": "1 merge request approval policy violation(s) detected in merge request with title \"Edit test.rb\" in \"Project Two\" project",
    "ip_address": "172.16.123.1",
    "entity_path": "gitlab-org/project-2"
  },
  "ip_address": "172.16.123.1",
  "author_name": "Administrator",
  "entity_path": "gitlab-org/project-2",
  "target_details": "Edit test.rb",
  "created_at": "2025-06-17T09:03:34.024Z",
  "target_type": "MergeRequest",
  "target_id": 254,
  "event_type": "policy_violations_detected"
}

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #549811 (closed)

Edited by Imam Hossain

Merge request reports