Trigger SAST FP worker when project has duo access

Hitesh Raghuvanshirequested to merge
hraghuvanshi-add-check into master

What does this MR do and why?

Adds a permission check to ensure that only users with duo_workflow ability can trigger the SAST false positive detection workflow when a vulnerability is created.

We were getting around 80% errors with reason "forbidden to access duo workflow". Link [INTERNAL]

image

Root Cause

The SAST false positive detection worker was being triggered for any user who created a vulnerability in a project with Duo access enabled, without verifying if the user had the necessary permissions to use Duo features.

Solution

Introduces a permission check using Ability.allowed?(author, :duo_workflow, project) in the trigger_false_positive_detection method to ensure only authorized users can trigger the workflow.

How to validate

  1. Create a project with duo_sast_fp_detection_enabled: true
  2. Create a user without duo_workflow permission
  3. Create a SAST vulnerability with high/critical severity as that user
  4. Verify the false positive detection workflow is NOT triggered
  5. Create another user with duo_workflow permission
  6. Create a SAST vulnerability with high/critical severity as that user
  7. Verify the false positive detection workflow IS triggered
Edited by Huzaifa Iftikhar

Merge request reports