Draft: Add Danger plugin for security monitoring of authorization bypasses
What does this MR do and why?
Add Danger plugin for security monitoring of authorization bypasses
Implements automated detection of authorization bypass patterns in merge requests to prevent privilege escalation vulnerabilities, particularly in service account creation and Duo Workflows.
Detects security-sensitive patterns:
-
skip_admin_check,skip_permission_check,bypass_authorization -
composite_identity_enforced: false(AI attribution bypass) - Service account authorization bypasses
- Missing authentication/authorization in API endpoints
- Critical policy modifications
Changes
-
tooling/danger/security_monitoring.rb- Core detection logic -
danger/plugins/security_monitoring.rb- Plugin wrapper -
danger/security_monitoring/Dangerfile- Orchestrates checks -
spec/tooling/danger/security_monitoring_spec.rb- Unit tests (23 tests) -
spec/tooling/danger/security_monitoring_integration_spec.rb- Integration tests (13 tests)
Warns on MR with @gitlab-com/gl-security/appsec and
@gitlab-org/software-supply-chain-security/authorization/approvers for review.
Changelog: added
References
Screenshots or screen recordings
| Before | After |
|---|---|
How to set up and validate locally
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.