## Why are we doing this work MRAP with `fallback_behavior: open` are supposed to fail open only if no CI pipeline gets created, or a CI pipeline gets created but completes without the security report demanded by the fail-open policy. However when pipelines are created asynchronously with the `async_mr_pipeline_creation` feature flag enabled, fail-open rules don't block MRs with in-flight pipelines. ## Relevant links n/a ## Non-functional requirements - [ ] Documentation: - [ ] Feature flag: - [ ] Performance: - [ ] Testing: ## Implementation plan TBD ## Verification steps 1. Commit the following `.gitlab-ci.yml`: ```yaml workflow: rules: - if: $CI_MERGE_REQUEST_ID - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH test: image: busybox script: sleep 10 ``` 2. Declare the following MRAP: ```yaml approval_policy: - name: Container Scanning Fail Open enabled: true actions: - type: require_approval approvals_required: 1 role_approvers: - owner rules: - type: scan_finding scanners: - container_scanning vulnerabilities_allowed: 0 severity_levels: [] vulnerability_states: [] branch_type: protected fallback_behavior: fail: open ``` 3. Open a merge request targeting the default branch. Note that the fail-open approval rule requires no approvals, immediately after merge request creation.