Require approvals when security scans do not complete successfully

Martin Cavojrequested to merge
590585-canceled-scans-with-artifacts into master

What does this MR do and why?

Require approvals when security scans do not complete successfully.

When a security scan job is canceled or fails after producing artifacts, the scan appears "present" but yields zero ingested findings — allowing MRs to bypass approval policies.

Add an enforce_scan_completion! check in UpdateApprovalsService to address this gap.

References

Screenshots or screen recordings

Before After
CleanShot_2026-03-23_at_14.18.51_2x CleanShot_2026-03-23_at_14.22.05_2x

How to set up and validate locally

  1. Create a project with SAST approval policies and SAST enforced by SEP
  2. Introduce a SAST vulnerability in MR
  3. At the right time, cancel the SAST job just after it produced an artifact, but before it finishes.
  4. Verify that approvals are optional
  5. Enable the feature flag require_approvals_for_canceled_scans
  6. Repeat the steps 2. and 3.
  7. Verify that the approvals are required and there's a bot comment mentioning the failed scans.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #590585

Edited by Martin Cavoj

Merge request reports