Skip to content

Only preserve policy dismissals if MR targets default branch

Andy Schoenenrequested to merge
andyschoenen/only-preserve-policy-dismissals-if-mr-merged-into-default-branch into master

What does this MR do and why?

Only preserve policy dismissals if targeting default

We show preserved policy dismissals in the vulnerability report. Vulnerablities are only created for findings on the default branch. If we preserve dismissals for MRs that didn't merge into default, we risk showing them on the vulnerability report even though the dismissal could not be responsible for introducing the vulnerability to the default branch.

📺 Bug behavior: https://youtu.be/j6AUS-XnXpw

How to set up and validate locally

  1. Enable the feature flag echo "Feature.enable(:security_policy_approval_warn_mode)" | rails c
  2. Create a new project.
  3. On the left sidebar, select Secure and Policies.
  4. Select New policy.
  5. Select Scan execution policy.
  6. Enter a name and select Create new project with the new policy.
  7. Merge the MR
  8. Go back to the first project
  9. On the left sidebar, select Secure and Policies again.
  10. Select New policy.
  11. Select Merge request approval policy
  12. Switch to .yaml mode
  13. Paste the following config: 
    approval_policy:
  - name: warn-mode policy
    description: Security Scan
    enabled: true
    enforcement_type: warn
    rules:
      - type: scan_finding
        scanners:
          - secret_detection
        vulnerabilities_allowed: 0
        severity_levels: []
        vulnerability_states: []
        branch_type: protected
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers:
          - developer
          - maintainer
          - owner
      - type: send_bot_message
        enabled: true
    approval_settings:
      block_branch_modification: false
      prevent_pushing_and_force_pushing: false
      prevent_approval_by_author: false
      prevent_approval_by_commit_author: false
      remove_approvals_with_new_commit: false
      require_password_to_approve: false
    fallback_behavior:
      fail: open
  14. Select Configure with a merge request
  15. Merge the MR
  16. Back to the first project. Create a new branch feature-branch
  17. Go to SettingsRepositoryProtected branches
  18. Select your branch and click Protect
  19. Create an MR targeting the feature-branch and introducing a vulnerability. Add a file .env with the following content: 
    AWS_TOKEN='AKIAZYONPI3G4JNCCWGA'
  20. The MR should be blocked by the warn-mode policy after the pipeline finishes
  21. Dismiss the policy by selecting Bypass next to the policy violation warning on the MR
  22. Provide a description like Merge into feature-branch MR
  23. Merge the MR into feature-branch
  24. Now create the same MR targeting the default branch
  25. Bypass the policy again, this time with reason Merge into default branch
  26. Merge the MR
  27. Wait for the latest branch pipeline to finish
  28. On the left sidebar select SecureVulnerability report
  29. Select the AWS access token vulnerability
  30. Only the Merge into default branch policy bypass should show up.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Andy Schoenen

Merge request reports