Create audit events for restrictive warn-mode protected branch settings
What does this MR do and why?
We are working on warn mode for merge request approval policies (&15552). Violations associated to a policy that is in warn mode can be bypassed by users, and their approval_settings don't take effect.
This MR starts streaming audit events when a warn mode policy is created or updated, and its approval_settings restrict one or more project-level protected branches through:
block_branch_modificationprevent_pushing_and_force_pushing
Both properties are sensitive to the policy's branches/branch_type.
References
How to set up and validate locally
- Create a project
- Switch to admin mode and set up the audit event streaming destination
- Localhost path: http://gdk.test:3000/admin/audit_logs?tab=streams
For a local http listener, run
docker run -p 4567:4567 --rm --pull=always registry.gitlab.com/imam_h/webhook-inbox:latestvisit: http://0.0.0.0:4567/ Webhook path: http://0.0.0.0:4567/webhook
- Add a protected branch in the project with Allow force push enabled
- Create security policies for the project
Policy YAML
.gitlab/security-policies/policy.yml
---
---
approval_policy:
- name: warn-mode policy
description: Security Scan
enabled: true
enforcement_type: warn
rules:
- type: scan_finding
scanners:
- secret_detection
vulnerabilities_allowed: 0
severity_levels: []
vulnerability_states: []
branches:
- feature/*
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- developer
- maintainer
- owner
- type: send_bot_message
enabled: true
approval_settings:
block_branch_modification: false
prevent_pushing_and_force_pushing: true
prevent_approval_by_author: false
prevent_approval_by_commit_author: false
remove_approvals_with_new_commit: false
require_password_to_approve: false
fallback_behavior:
fail: closed
- name: Enforced Policy
enabled: false
rules:
- type: any_merge_request
branch_type: protected
commits: any
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- developer
- maintainer
- owner
- type: send_bot_message
enabled: true
approval_settings:
block_branch_modification: trueObservation: policy_warn_mode_push_settings_overrides is received
Audit Event
{
"id": "d12281f4-4a7b-41aa-8358-85f690d226e1",
"author_id": 680,
"entity_id": 106,
"entity_type": "Project",
"details": {
"event_name": "policy_warn_mode_push_settings_overrides",
"author_name": "GitLab Security Policy Bot",
"author_class": "User",
"target_id": 846,
"target_type": "Security::Policy",
"target_details": "warn-mode policy",
"custom_message": "In project (gitlab-org/warn-mode-policies), a warn-mode security policy's approval settings will override the branch protection(s) \"feature/*\": Prevent pushing and force pushing",
"ip_address": null,
"entity_path": "gitlab-org/warn-mode-policies"
},
"ip_address": "",
"author_name": "GitLab Security Policy Bot",
"entity_path": "gitlab-org/warn-mode-policies",
"target_details": "warn-mode policy",
"created_at": "2025-11-12T12:01:18.483Z",
"target_type": "Security::Policy",
"target_id": 846,
"event_type": "policy_warn_mode_push_settings_overrides"
}- Update the warn mode security policy approval settings through an MR
- block_branch_modification: false
- block_branch_modification: trueObservation: policy_warn_mode_push_settings_overrides is not received since it is already enabled by the Enforced policy
- Assign the security policy project a group
Observation: Audit event is generated for all projects in the group where the branch modification and force push is enforced by this security policy
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #563867 (closed)