[go: up one dir, main page]
Skip to content

Enforce presence of target scans with merge request approval policies

Martin Čavojrequested to merge
514201-enforce-target-scan-presence into master

What does this MR do and why?

If the enforced scans are not present in the target pipeline, evaluate the approval rules as errored. Although this expectation of enforcement is a documented behavior, the extra check is added behind a derisk feature flag for extra safety (#577681).

Additionally, this change fixes handling of scanners: [] which is used when all scanners are selected, however, it was incorrectly interpreted in some cases.

In our documentation, we state:

  • If security scans are missing on either the source or target branch, GitLab cannot effectively evaluate whether the merge request is introducing new vulnerabilities. In such cases, approval is required as a precautionary measure.
  • For new projects where security scans have not yet been set up or executed on the target branch, all merge requests require approval. This ensures that security checks are active from the project’s inception.

References

Screenshots or screen recordings

Before After (fail-closed) After (fail-open) After with scanners: []
CleanShot_2025-10-17_at_13.15.02_2x CleanShot_2025-10-17_at_13.04.21_2x CleanShot_2025-10-17_at_13.25.40_2x CleanShot_2025-10-17_at_15.42.51_2x

How to set up and validate locally

  1. In rails console enable the feature flag 
    Feature.enable(:approval_policies_enforce_target_scans)
  2. Create a project
  3. Create a merge request approval policy requiring two different scanners 
    approval_policy:
  - name: Secrets
    description: ''
    enabled: true
    enforcement_type: enforce
    rules:
      - type: scan_finding
        scanners:
          - dependency_scanning
          - secret_detection
        vulnerabilities_allowed: 0
        severity_levels: []
        vulnerability_states: []
        branch_type: protected
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers:
          - maintainer
          - owner
      - type: send_bot_message
        enabled: true
    fallback_behavior:
      fail: closed
  4. Configure .gitlab-ci.yml to only run secret detection 
    include:
  - template: Jobs/Secret-Detection.gitlab-ci.yml
  
project-job:
  script: exit 0
  5. Open MR
  6. Verify that the new error is presented in the bot comment and the approvals are required
  7. Add dependency scanning using - template: Jobs/Dependency-Scanning.gitlab-ci.yml and add empty requirements.txt in the repo to trigger the dependency scans
  8. Verify that no error is thrown and approvals are optional
  9. Change the policy to require all scanners using scanners: []
  10. Verify that all missing scanners are listed

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #514201

Edited by Martin Čavoj

Merge request reports