Enforce security scan in merge request when targeting a branch with scans configured
Problem to solve
The MVC #198496 (closed), brings awareness and remediation solution sugguestion to the developer in the MR that this scenario is taking place. However, the remediation is optional; therefore vulnerabilities may still be introduced to the default branch without any scans (even if the default branch is configured to perform scans).
Additional context: when a user configures security scan(s) to the default branch, all subsequently created feature branches will perform the scan. However, feature branches created before configuration to the default branch will not include the scan. Today it's possible to merge an MR even if the target branch has security scans but the source branch has no similar security scans.
Intended users
Further details
....
Proposal
Consider an approval rule or setting option that enforces developer to 1) to rebase the source branch on top of the target branch and 2. merge the target branch into the source branch. These solutions are generic (nothing specific to the security scans) and they ensure consistency in the scans.
Status: workflowdesign
Permissions and Security
- Maintainer is able to set the rule or setting
- Enforcement applies to all users
Documentation
...
Availability & Testing
...
What does success look like, and how can we measure that?
- When a developer is in MR (with notification and rebase suggestion), do they notice the message?
- Does the user understand the message and related issue in MR?
- Does the user know how to remediate the problem?
- Does the user act on the problem?
What is the type of buyer?
Links / references
Discovery issue: #34773 (closed)