Skip to content

Create audit logs when an MR is bypassed by security policy

Sashi Kumar Kumaresanrequested to merge
sk/549646-add-audit-log into master

What does this MR do and why?

As a part of Source branch pattern exceptions for MR Approva... (&18113 - closed) we are adding branch exceptions in security policy through bypass_settings to bypass an approval from security policy. Add branch exceptions to bypass_settings in MR ... (!194242 - merged) added the logic to bypass the approval behind approval_policy_branch_exceptions feature flag.

This MR create audit logs whenever an MR's approval is bypassed through the bypass_settings in security policy. The MR's approval can be bypassed in these cases:

  • When an MR is created
  • When an MR's target branch is changed
  • When an MR is reopened

References

Screenshots or screen recordings

Screenshot_2025-06-27_at_10.57.00_PM

How to set up and validate locally

  • Create a project
  • Create an MR approval policy by editing in the YAML editor:
approval_policy:
  - name: Any MR Rules
    description: ''
    enabled: true
    rules:
      - type: any_merge_request
        branch_type: protected
        commits: any
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers:
          - maintainer
      - type: send_bot_message
        enabled: true
    approval_settings:
      block_branch_modification: true
      prevent_pushing_and_force_pushing: true
      prevent_approval_by_author: true
      prevent_approval_by_commit_author: true
      remove_approvals_with_new_commit: true
      require_password_to_approve: false
    fallback_behavior:
      fail: closed
    bypass_settings:
      branches:
        - source:
            name: release
          target:
            name: main
  • Enable approval_policy_branch_exceptions feature flag for the security policy project
  • Create a branch (release)
  • Create an MR with release as the source branch and main as the target branch and observe that the approval is not required
  • Create an MR with another branch and observe that the approval is required
  • Close and reopen the MR with release as the source branch
  • Go to Secure -> Audit Events and notice that the is a record for the MR that is bypassed

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Addresses #549646 (closed)

Edited by Sashi Kumar Kumaresan

Merge request reports