Draft: Spike explore policy evaluations to consider branch rules
What does this MR do and why?
flowchart TD
%% --- NEW SYSTEM ---
subgraph UpdatedBehavior["Updated Policy Evaluation steps"]
A2["<table><tr><td>Security Policy →<br> Create Project Approval Rules</td></tr></table>"]
B2["<table><tr><td>Create Merge Request</td></tr></table>"]
C2["<table><tr><td>Check for each Project Approval Rule<br>applies to target branch?</td></tr></table>"]
D2a["<table><tr><td>Copy Project rule → MR approval rule<br>& Register Violations</td></tr></table>"]
D2b["<table><tr><td>Delete MR approval rule &<br>violations if exist</td></tr></table>"]
E2["<table><tr><td>Approvals widget: Updated merge request approval rules</td></tr></table>"]
F2["<table><tr><td>Wait for security scanning</td></tr></table>"]
G2["<table><tr><td>Update required approvals</td></tr></table>"]
H2["<table><tr><td>On Target Branch Change / <br> Reopen MR </td></tr></table>"]
A2 --> B2 --> C2
C2 -->|Yes| D2a
C2 -->|No| D2b
D2a --> E2
D2b --> E2
E2 --> F2 --> G2 --> E2
H2 --> C2
end
%% --- OLD SYSTEM ---
subgraph ExistingBehavior["Existing Policy Evaluation steps"]
A1["<table><tr><td>Security Policy →<br> Create Project Approval Rules</td></tr></table>"]
B1["<table><tr><td>Create Merge Request</td></tr></table>"]
C1["<table><tr><td>Copy all Project Approval Rules →<br> MR Approval Rules</td></tr></table>"]
D1["<table><tr><td>Register Violations for each MR approval rule</td></tr></table>"]
E1["<table><tr><td>Approvals widget: Filter MR approval rules and<br>violations by branch rules</td></tr></table>"]
F1["<table><tr><td>Wait for security scanning</td></tr></table>"]
G1["<table><tr><td>Update required approvals or remove violations</td></tr></table>"]
H1["<table><tr><td>On Target Branch Change / <br> Reopen MR</td></tr></table>"]
A1 --> B1 --> C1 --> D1 --> E1 --> F1 --> G1
H1 --> E1
G1 --> E1
end
%% --- STYLING ---
style UpdatedBehavior fill:#f2fff2,stroke:#33cc33,stroke-width:1px
style ExistingBehavior fill:#fff2f2,stroke:#ff6666,stroke-width:1px
References
Screenshots or screen recordings
| Before | After |
|---|---|
How to set up and validate locally
- Create a project with security policies
- MR - Security Scan ( no approval overwrites )
- Sast scan - feature branch ( includes approval overwrites)
- Any MR Policy ( includes approval overwrites )
Test Setup
.gitlab/security-policies/policy.yml
---
approval_policy:
- name: MR - Security Scan
description: Security Scan
enabled: true
rules:
- type: scan_finding
scanners:
- secret_detection
vulnerabilities_allowed: 0
severity_levels: []
vulnerability_states: []
branch_type: protected
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- developer
- maintainer
- owner
- type: send_bot_message
enabled: true
approval_settings:
block_branch_modification: false
prevent_pushing_and_force_pushing: false
prevent_approval_by_author: false
prevent_approval_by_commit_author: false
remove_approvals_with_new_commit: false
require_password_to_approve: false
fallback_behavior:
fail: open
- name: Sast scan - feature branch
description: ''
enabled: true
rules:
- type: scan_finding
scanners:
- sast
vulnerabilities_allowed: 0
severity_levels: []
vulnerability_states: []
branches:
- feature/*
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- developer
- maintainer
- owner
- type: send_bot_message
enabled: true
approval_settings:
block_branch_modification: false
prevent_pushing_and_force_pushing: false
prevent_approval_by_author: true
prevent_approval_by_commit_author: false
remove_approvals_with_new_commit: false
require_password_to_approve: false
fallback_behavior:
fail: closed
- name: Any MR Policy
description: ''
enabled: true
enforcement_type: enforce
rules:
- type: any_merge_request
commits: any
branches:
- feature/*
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- developer
- maintainer
- owner
- type: send_bot_message
enabled: true
approval_settings:
block_branch_modification: true
prevent_pushing_and_force_pushing: true
prevent_approval_by_author: true
prevent_approval_by_commit_author: true
remove_approvals_with_new_commit: true
require_password_to_approve: false
fallback_behavior:
fail: closed.gitlab-ci.yml
image: busybox:latest
include:
- template: 'Jobs/Secret-Detection.gitlab-ci.yml'
- template: 'Jobs/SAST.gitlab-ci.yml'
stages:
- test
test_job:
stage: test
script:
- echo "Running tests..."
variables:
AST_ENABLE_MR_PIPELINES: "true"-
Navigate to project -> settings -> Protected Branches and add a protected branch
feature/*
-
Navigate to project -> settings -> Merge requests -> Merge request approvals : Uncheck all boxes
- Add the following 2 files in a branch and create MR
env.sample
AWS_TOKEN=AKIAZYONPI3G4JNCCWGQtes.rb
job = params[:job]
eval(job)Observation: only the MR - Security Policy is violated. Approval rules and policy bot comment is recorded accordingly.
- Create a feature branch (
feature/test-branch) in the repository and Change the MR target branch to it
Observation: All 3 policy is violated and approval rules and policy bot comment is updated accordingly
- Change the target branch to
main
Observation:
Existing Behavior: Approval overwrites are applied Sast scan - feature branch policy
Updated Behavior: Approval overwrites are not
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #553189
Edited by Imam Hossain