Skip to content

Only show warn mode policy selection when active

Alexander Turinskerequested to merge
561650-fix-warn-policy-button-appearing into master

What does this MR do and why?

Only show warn mode policy selection when active

  • currently the bypass selector modal shows if there are any warn mode policies instead of just non-dismissed warn mode policies
  • update variable names to be more descriptive
  • add tests

EE: true

References

Screenshots or screen recordings

Before After
Screenshot_2025-10-09_at_12.32.56_PM Screenshot_2025-10-09_at_12.32.45_PM

How to set up and validate locally

  1. Upload a GitLab Ultimate license
  2. Enable the security_policy_approval_warn_mode feature flag in http://gdk.test:3443/rails/features
  3. Create a ruby project (use ruby template) with SAST enabled (easiest scanner to enable)
  4. Install and run gitlab runners in your gdk (instructions)
  5. Navigate to the new project => Secure => Policies => New policy => Merge request approval policy
  6. Create a policy that is enforced and has you user as a bypass exception
Enforce policy 
approval_policy:
  - name: Prevent Critical Vulnerabilities
    description: This is to prevent Critical/High Vulnerabilities from getting merged
    enabled: true
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers:
          - maintainer
          - developer
          - owner
    rules:
      - type: scan_finding
        scanners: []
        vulnerabilities_allowed: 0
        severity_levels: []
        vulnerability_states: []
        branch_type: protected
    approval_settings:
      block_branch_modification: false
      prevent_pushing_and_force_pushing: false
      prevent_approval_by_author: false
      prevent_approval_by_commit_author: false
      remove_approvals_with_new_commit: true
      require_password_to_approve: false
    fallback_behavior:
      fail: open
  1. Create a policy that is not enforced (warn policy)
Warn policy 
approval_policy:
- name: Warn - Prevent SAST vulnerabilities
  description: Security Scan
  enabled: true
  enforcement_type: "warn"
  rules:
  - type: scan_finding
    scanners:
    - sast
    vulnerabilities_allowed: 0
    severity_levels: []
    vulnerability_states: []
    branch_type: protected
  actions:
  - type: require_approval
    approvals_required: 1
    role_approvers:
    - developer
    - maintainer
    - owner
  - type: send_bot_message
    enabled: true
  approval_settings:
    block_branch_modification: false
    prevent_pushing_and_force_pushing: false
    prevent_approval_by_author: false
    prevent_approval_by_commit_author: false
    remove_approvals_with_new_commit: false
    require_password_to_approve: false
  fallback_behavior:
    fail: open
  1. Create an MR in the new project with vulnerable code
vulnerable_code.rb 
input = gets.chomp
eval("puts \#{input}")

job = params[:job]
eval(job)
  1. Verify the MR widget shows that policies are being violated
  2. Verify the "Bypass" button appears
  3. Verify clicking the Bypass button brings up a modal that lets you select between the exception policy and the warn mode policy
  4. Bypass the warn mode policy
  5. Click the "Bypass" button in the widget
  6. Verify the modal appears to bypass the exception policy and not the warn policy

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #561650 (closed)

Merge request reports