[go: up one dir, main page]

Skip to content

Create audit event when policy dismissal is merged

What does this MR do and why?

Creates audit events when a merge request is merged with a dismissed warn-mode security policy.

We want to integrate dismissed policies into the vulnerability report page as well so I added a status field in preparation for this. We only want to show dismissals that are associated with an MR that was merged.

References

How to set up and validate locally

  1. Enable the feature flag echo "Feature.enable(:security_policy_approval_warn_mode)" | rails c
  2. Create a new project.
  3. On the left sidebar, select Secure and Policies.
  4. Select New policy.
  5. Select Scan execution policy.
  6. Enter a name and select Create new project with the new policy.
  7. Merge the MR
  8. Go back to the first project
  9. On the left sidebar, select Secure and Policies again.
  10. Select New policy.
  11. Select Merge request approval policy
  12. Switch to .yaml mode
  13. Paste the following config:
    approval_policy:
      - name: MR - Security Scan
        description: Security Scan
        enabled: true
        enforcement_type: warn
        rules:
          - type: scan_finding
            scanners:
              - secret_detection
            vulnerabilities_allowed: 0
            severity_levels: []
            vulnerability_states: []
            branch_type: protected
        actions:
          - type: require_approval
            approvals_required: 1
            role_approvers:
              - developer
              - maintainer
              - owner
          - type: send_bot_message
            enabled: true
        approval_settings:
          block_branch_modification: false
          prevent_pushing_and_force_pushing: false
          prevent_approval_by_author: false
          prevent_approval_by_commit_author: false
          remove_approvals_with_new_commit: false
          require_password_to_approve: false
        fallback_behavior:
          fail: open
    
  14. Select Configure with a merge request
  15. Merge the MR
  16. Back to the first project. Create an MR introducing a vulnerability. Add a file .env with the following content:
    AWS_TOKEN='AKIAZYONPI3G4JNCCWGA'
  17. The MR should be blocked by the new policies
  18. Dismiss the policy using /-/graphql-explorer and the following query
    mutation DismissPolicyViolations($projectPath: ID!, $mergeRequestIid: String!, $securityPolicyIds: [ID!]!, $dismissalTypes: [DismissalType!]!, $comment: String!) {
      dismissPolicyViolations(input: {
        projectPath: $projectPath,
        iid: $mergeRequestIid,
        securityPolicyIds: $securityPolicyIds,
        dismissalTypes: $dismissalTypes,
        comment: $comment
      }) {
        errors
      }
    }
    
    // variables (replace with own values)
    
    {
      "projectPath": "mr-205857/test-2",
      "mergeRequestIid": "1",
      "securityPolicyIds": [91],
      "dismissalTypes": ["SCANNER_FALSE_POSITIVE"],
      "comment": "Dismissed this because of false positive"
    }
  19. Merge the MR
  20. On the left sidebar, select Secure and Audit events.
  21. A new audit event should be added. It may take a while until the background worker finishes and creates the event.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #569628

Edited by Andy Schoenen

Merge request reports

Loading