Backport of 'Stop unblocking policy approvals when security jobs get canceled'

Martin Cavojrequested to merge
585752-backport-18-9 into 18-9-stable-ee

What does this MR do and why?

Stop unblocking policy approvals when security jobs get canceled (!223614 (merged))

When unblock_rules_using_execution_policies option is enabled for merge request approval policies, security scanners are not required to run as long as they are enforced by SEP or PEP. The approvals are required when the security job runs and fails, however, when the jobs run and get canceled, the approvals stay optional. We should treat it as a failure and don't unblock policy approvals in that case to prevent bypass.

The backport is low-effort and fixing existing bug which causes a gap in policy enforcement.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

  • This MR is backporting a bug fix, documentation update, or spec fix, previously merged in the default branch.
  • The MR that fixed the bug on the default branch has been deployed to GitLab.com (not applicable for documentation or spec changes).
  • The MR title is descriptive (e.g. "Backport of 'title of default branch MR'"). This is important, since the title will be copied to the patch blog post.
  • Required labels have been applied to this merge request
  • This MR has been approved by a maintainer (only one approval is required).
  • Ensure the e2e:test-on-omnibus-ee job has succeeded, or if it has failed, investigate the failures. If you determine the failures are unrelated, you may proceed. If you need assistance investigating, reach out to a Software Engineer in Test in #s_developer_experience.

Note to the merge request author and maintainer

If you have questions about the patch release process, please:

Edited by Martin Cavoj

Merge request reports