Collect audit events when merge request is merged with security policy violations
What does this MR do and why?
This MR implements audit events that are generated when a merge request is merged despite having security policy violations. This provides visibility and compliance tracking for security teams when policy violations are bypassed (either with approval or without because of fail-open policy) during the merge process.
References
Related to #549813 (closed)
| Before | After |
|---|---|
How to set up and validate locally
-
Enable the feature flag in the Rails console:
Feature.enable(:collect_merge_request_merged_with_policy_violations_audit_events) -
Switch to admin mode and set up the audit event streaming
- Doc: https://docs.gitlab.com/administration/compliance/audit_event_streaming/#add-a-new-http-destination
- Localhost path: http://gdk.test:3000/admin/audit_logs?tab=streams
- HTTP Listener: https://pipedream.com/ OR https://gitlab.com/imam_h/webhook-inbox
-
Set up a project with security policies:
- Configure an MR Approval Policy. Ex: with Secret Detection
- Make sure the pipeline has required scanners either through Scan execution policies or in gitlab-ci.yml
-
Create a merge request that violates the policy:
- Add a secret to the changes which trigger policy violations
- Wait for policy evaluations; PolicyBot will post a comment with the violation details
-
Get required approvals for policy violations or Merge the MR with violations if fail open policy
-
Verify an audit event type
merge_request_merged_with_policy_violationsis recorded- Both in streaming destination and in the security policy project
Example Audit Event JSON
{
"id": 671,
"author_id": 2,
"entity_id": 24,
"entity_type": "Project",
"details": {
"merge_request_title": "Edit .env",
"merge_request_id": 314,
"merge_request_iid": 40,
"merged_at": "2025-06-25T14:08:22.687Z",
"source_branch": "root-main-patch-33864",
"target_branch": "main",
"project_id": 24,
"project_name": "Project 3",
"project_full_path": "gitlab-org/project-3",
"security_policy_approval_rules": [
{
"name": "Any MR Rule",
"rule_type": "report_approver",
"approvals_required": 1,
"approved": true,
"approved_approvers": [
"rivka"
],
"invalid_rule": false,
"fail_open": true
},
{
"name": "Security",
"rule_type": "report_approver",
"approvals_required": 1,
"approved": true,
"approved_approvers": [],
"invalid_rule": true,
"fail_open": false
}
],
"violation_details": {
"fail_open_policies": [],
"fail_closed_policies": [
"Any MR Rule"
],
"warn_mode_policies": [],
"new_scan_finding_violations": [],
"previous_scan_finding_violations": [],
"license_scanning_violations": [],
"any_merge_request_violations": [
{
"name": "Any MR Rule",
"commits": true
}
],
"errors": [],
"comparison_pipelines": []
},
"event_name": "merge_request_merged_with_policy_violations",
"author_name": "Olinda Morissette",
"author_class": "User",
"target_id": 314,
"target_type": "MergeRequest",
"target_details": "Edit .env",
"custom_message": "Merge request merged with 1 security policy violations",
"ip_address": "172.16.123.1",
"entity_path": "gitlab-org/project-3"
},
"ip_address": "172.16.123.1",
"author_name": "Olinda Morissette",
"entity_path": "gitlab-org/project-3",
"target_details": "Edit .env",
"created_at": "2025-06-26T15:11:09.535Z",
"target_type": "MergeRequest",
"target_id": 314,
"event_type": "merge_request_merged_with_policy_violations"
}MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #549813 (closed)