## Summary There is no audit event recorded when a user enables or disables the **"Status checks must succeed"** project setting (Settings > Merge requests). This creates a compliance gap where a Maintainer or Owner can silently bypass external status checks on merge requests. ## Problem The following bypass is currently possible with no audit trail: 1. A Merge Request is created. 2. The **"Status checks must succeed"** setting is enabled in the repository settings. 3. A user with Maintainer or Owner permissions disables this setting. 4. The MR is merged, bypassing all external status checks. 5. The setting is re-enabled. Since no audit event is emitted for this setting change, there is no way to detect or investigate this bypass after the fact. ## Impact This undermines the compliance value of external status checks for organizations relying on them as a security or compliance control. A privileged user can silently bypass them without leaving any trace in the audit log. ## Expected Behavior A change to the **"Status checks must succeed"** project setting should emit an audit event, similar to how other equivalent merge request settings are already audited: - `project_only_allow_merge_if_pipeline_succeeds_updated` - `project_only_allow_merge_if_all_discussions_are_resolved_updated` A new audit event such as `project_only_allow_merge_if_all_status_checks_passed_updated` should be introduced, recording: - Who changed the setting - When it was changed - The old and new values ## Proposal 1. Add an audit event `project_only_allow_merge_if_all_status_checks_passed_updated` that fires whenever the "Status checks must succeed" setting is toggled, following the same pattern as the existing project merge setting audit events. 2. Consider allowing this setting to be locked at the group level so it cannot be changed by project Maintainers, only by group Owners or compliance managers. ## References - [External status checks documentation](https://docs.gitlab.com/ee/user/project/merge_requests/status_checks.html) - [Available audit event types](https://docs.gitlab.com/ee/user/compliance/audit_event_types.html)