Skip to content

Create audit event when policy dismissal is merged

Andy Schoenenrequested to merge
569628-add-audit-trails-for-dismissed-security-policies-in-warn-mode into master

What does this MR do and why?

Creates audit events when a merge request is merged with a dismissed warn-mode security policy.

We want to integrate dismissed policies into the vulnerability report page as well so I added a status field in preparation for this. We only want to show dismissals that are associated with an MR that was merged.

References

How to set up and validate locally

  1. Enable the feature flag echo "Feature.enable(:security_policy_approval_warn_mode)" | rails c
  2. Create a new project.
  3. On the left sidebar, select Secure and Policies.
  4. Select New policy.
  5. Select Scan execution policy.
  6. Enter a name and select Create new project with the new policy.
  7. Merge the MR
  8. Go back to the first project
  9. On the left sidebar, select Secure and Policies again.
  10. Select New policy.
  11. Select Merge request approval policy
  12. Switch to .yaml mode
  13. Paste the following config: 
    approval_policy:
  - name: MR - Security Scan
    description: Security Scan
    enabled: true
    enforcement_type: warn
    rules:
      - type: scan_finding
        scanners:
          - secret_detection
        vulnerabilities_allowed: 0
        severity_levels: []
        vulnerability_states: []
        branch_type: protected
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers:
          - developer
          - maintainer
          - owner
      - type: send_bot_message
        enabled: true
    approval_settings:
      block_branch_modification: false
      prevent_pushing_and_force_pushing: false
      prevent_approval_by_author: false
      prevent_approval_by_commit_author: false
      remove_approvals_with_new_commit: false
      require_password_to_approve: false
    fallback_behavior:
      fail: open
  14. Select Configure with a merge request
  15. Merge the MR
  16. Back to the first project. Create an MR introducing a vulnerability. Add a file .env with the following content: 
    AWS_TOKEN='AKIAZYONPI3G4JNCCWGA'
  17. The MR should be blocked by the new policies
  18. Dismiss the policy using /-/graphql-explorer and the following query 
    mutation DismissPolicyViolations($projectPath: ID!, $mergeRequestIid: String!, $securityPolicyIds: [ID!]!, $dismissalTypes: [DismissalType!]!, $comment: String!) {
  dismissPolicyViolations(input: {
    projectPath: $projectPath,
    iid: $mergeRequestIid,
    securityPolicyIds: $securityPolicyIds,
    dismissalTypes: $dismissalTypes,
    comment: $comment
  }) {
    errors
  }
}

// variables (replace with own values)

{
  "projectPath": "mr-205857/test-2",
  "mergeRequestIid": "1",
  "securityPolicyIds": [91],
  "dismissalTypes": ["SCANNER_FALSE_POSITIVE"],
  "comment": "Dismissed this because of false positive"
}
  19. Merge the MR
  20. On the left sidebar, select Secure and Audit events.
  21. A new audit event should be added. It may take a while until the background worker finishes and creates the event.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #569628

Edited by Andy Schoenen

Merge request reports