Skip to content

Add bypass option widget to merge request widget

Artur Fedorovrequested to merge
541468-policies-bypass-options-merge-widget-2 into master

What does this MR do and why?

This merge request adds a new "policy exceptions" feature to the security policy violation system in GitLab's merge request interface. The changes introduce a new bypass mode that allows authorized users to override security policy violations with proper documentation and justification.

Key changes include:

  • Added new bypass reason options specifically for policy exceptions (emergency production issues, critical business deadlines, technical limitations, and authorized business risk acceptance)
  • Updated the user interface to show different bypass options depending on whether it's "warn mode" or "exception mode"
  • Added informational tooltips and help text to guide users through the bypass process
  • Enhanced the modal dialog to display appropriate messaging for each bypass type
  • Added a new feature flag to control when this functionality is available
  • Updated text strings to be more descriptive and include proper punctuation

The feature ensures that when users bypass security policies, their actions are properly logged in audit trails, security teams are notified, and formal exception records are created. This provides better governance and accountability while still allowing necessary flexibility for urgent business needs.

References

Screenshots or screen recordings

Description UI
Bypass options exceptions Screen Recording 2025-09-18 at 14.44.49.mov

How to set up and validate locally

  1. Enable feature flags:

    Feature.enable(:security_policies_bypass_options_group_roles)
Feature.enable(:security_policies_bypass_options_mr_widget)

  2. Go to Secure Policies

  3. Create Merge Request policy with advanced settings bypass exceptions and rules preventing merge without approvals

  4. Set this to 'exception_mode'

  5. Create MR and check policy violations options, there should be bypass option

  6. It is not connected to backend yet but it is behind feature flag

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #541468 (closed)

Edited by Artur Fedorov

Merge request reports