<!-- The first four sections: "Problem to solve", "Intended users", "User experience goal", and "Proposal", are strongly recommended, while the rest of the sections can be filled out during the problem validation or breakdown phase. However, keep in mind that providing complete and relevant information early helps our product team validate the problem and start working on a solution. --> ### Problem to solve <!-- What problem do we solve? Try to define the who/what/why of the opportunity as a user story. For example, "As a (who), I want (what), so I can (why/value)." --> Compliance departments want to ensure that certain rules are followed. The intent behind this is to build a special rule within the Merge Request that looks for results from specific Report Artifacts and determines whether or not those artifacts validate compliance or lack thereof. If the compliance rules are met (a set of specified [`artifacts:reports`](https://docs.gitlab.com/ee/ci/yaml/#artifactsreports) have been generated for a given pipeline), then the MR can proceed without needing the MR to be approved by a designated Compliance Team member. If the compliance rules are **not** met, then the MR can only proceed after the MR is approved by a designated Compliance Team member. ### Intended users * [Cameron (Compliance Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#cameron-compliance-manager) ### User experience goal <!-- What is the single user experience workflow this problem addresses? For example, "The user should be able to use the UI/API/.gitlab-ci.yml with GitLab to <perform a specific task>" https://about.gitlab.com/handbook/engineering/ux/ux-research-training/user-story-mapping/ --> The intent is to loop compliance teams into the MR process when specific compliance rules (aka [`artifacts:reports`](https://docs.gitlab.com/ee/ci/yaml/#artifactsreports)) are not being created. For example, ensuring that SAST scans are being run. ### Proposal <!-- How are we going to solve the problem? Try to include the user journey! https://about.gitlab.com/handbook/journeys/#user-journey --> Similar to the `Vulnerability-Check` ([docs](https://docs.gitlab.com/ee/user/application_security/#security-approvals-in-merge-requests)), this aims to provide users the ability to define a `Compliance-Check` MR Approval Rule that, when created, checks for specific results in the Pipeline Reports Artifacts. #### Setting Up The Rule The rule will initially be defined in the MR Approvals section. The `Compliance-Check` approval rule name is a keyword that GitLab will use to intelligently determine special rules need to be applied, following the same experience as the `Vulnerability-Check` approval rule name.  #### MR Page When Security Scanning Jobs Detect Vulnerabilities & Compliance Jobs Detect Compliance Issues When implemented, the MR will dynamically look for specific [`artifacts:reports`](https://docs.gitlab.com/ee/ci/yaml/#artifactsreports). To begin with this might be a statically defined list of artifacts (for example `artifacts:reports:sast`, `artifacts:reports:codequality`, `artifacts:reports:license_scanning`) but could later be user-defined. Based on the output of these reports will either allow the MR to proceed without approval from the Compliance Team because the checks succeeded or require approval because the compliance checks failed.  #### MR Page When Security Scanning Jobs Do NOT Detect Vulnerabilities & Compliance Jobs Do NOT Detect Compliance Issues Notice how the screenshot above requires Compliance-Check approval `0 of 1` whereas the job below lists them as `(optional)`. This is because the most recent pipeline successfully generated all of the necessary and agreed upon `artifacts:reports`.  ### Further details <!-- Include use cases, benefits, goals, or any other details that will help us understand the problem better. --> This, in addition to a Code Owners File requiring the Compliance Team to verify any changes to the CI YAML could help ensure that the Compliance Team is engaged any time a specific Compliance Job is modified/removed/etc... In the future, this idea can be built upon to include specific results expectations for the `artifacts:reports` including their job state (succeed/fail) as well as results. An example would be the code coverage job may be specified so that it needs to complete successfully and be above a certain percentage in order to not require sign-off from compliance. The `Vulnerability-Scan` MR Approval Rule currently has static criteria. An issue exists (https://gitlab.com/gitlab-org/gitlab/-/issues/216593) to expand upon this to support dynamic rulesets. It ought to be assumed that their UX should align to future iterations on the Compliance UX. Their current "intelligent ruleset" is as follows: > A merge request approval is required when a security report contains a new vulnerability of high, critical, or unknown severity. ### Permissions and Security <!-- What permissions are required to perform the described actions? Are they consistent with the existing permissions as documented for users, groups, and projects as appropriate? Is the proposed behavior consistent between the UI, API, and other access methods (e.g. email replies)?--> ### Documentation <!-- See the Feature Change Documentation Workflow https://docs.gitlab.com/ee/development/documentation/workflow.html#for-a-product-change * Add all known Documentation Requirements in this section. See https://docs.gitlab.com/ee/development/documentation/feature-change-workflow.html#documentation-requirements * If this feature requires changing permissions, update the permissions document. See https://docs.gitlab.com/ee/user/permissions.html --> ### Availability & Testing <!-- This section needs to be retained and filled in during the workflow planning breakdown phase of this feature proposal, if not earlier. What risks does this change pose to our availability? How might it affect the quality of the product? What additional test coverage or changes to tests will be needed? Will it require cross-browser testing? Please list the test areas (unit, integration and end-to-end) that needs to be added or updated to ensure that this feature will work as intended. Please use the list below as guidance. * Unit test changes * Integration test changes * End-to-end test change See the test engineering planning process and reach out to your counterpart Software Engineer in Test for assistance: https://about.gitlab.com/handbook/engineering/quality/test-engineering/#test-planning --> ### What does success look like, and how can we measure that? <!-- Define both the success metrics and acceptance criteria. Note that success metrics indicate the desired business outcomes, while acceptance criteria indicate when the solution is working correctly. If there is no way to measure success, link to an issue that will implement a way to measure this. --> ### What is the type of buyer? <!-- What is the buyer persona for this feature? See https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/buyer-persona/ In which enterprise tier should this feature go? See https://about.gitlab.com/handbook/product/pricing/#four-tiers --> ### Is this a cross-stage feature? <!-- Communicate if this change will affect multiple Stage Groups or product areas. We recommend always start with the assumption that a feature request will have an impact into another Group. Loop in the most relevant PM and Product Designer from that Group to provide strategic support to help align the Group's broader plan and vision, as well as to avoid UX and technical debt. https://about.gitlab.com/handbook/product/#cross-stage-features --> ### Links / references