Discussion for #374602 , Situation 1 Clarify security policy states while pipeline is running
Problem
We hear from customer that when the user confusion while the pipeline is running, because of the message: MR: blocked: all required approval needed, the user thinks that the security policy is enabled and the pipeline is blocked because of that.
During the time that pipeline is running, the user can observe and do the following:
- a.1 See that MR needs approval and understand that MR is blocked by security policy, check the previously existing vulnerabilities, nothing is wrong, approve it. The button becomes "Merge when pipeline complete" and the user clicks on it.
- a.2 See that MR needs approval and understand that MR is blocked by security policy, check the previously existing vulnerabilities, nothing is wrong, approve it. The user sees the message "MR blocked: pipeline not finished" and the user waits.
- b See that MR needs approval and understand that MR is blocked by security policy, check the previously existing vulnerabilities, fix vulnerabilities and then re-run the pipeline.
- c.1 See that MR needs approval and understand that MR is blocked by security policy, has no previously existing vulnerabilities, and has nothing wrong, so approve it. The button becomes "Merge when pipeline complete" and the user clicks on it.
- c.2 See that MR needs approval and understand that MR is blocked by security policy, has no previously existing vulnerabilities, and nothing wrong, so approve it. The user sees the message "MR blocked: pipeline not finished" and the user waits.
- d. See that MR needs approval and understand that MR is blocked by security policy, don't know what to do, contact another team member to help. And others came in at the moment after the pipeline was complete.
After the pipeline is complete, the security policy could have the following situation after the pipeline is finished:
- there are vulnerabilities found to match the policy criteria, security policy needs approval
- there are NO vulnerabilities found to match the policy criteria, security policy does NOT need approval
So based on all the possibilities, the following might happen
| - | 1 vulnerabilities found after pipeline finished | 2 NO vulnerabilities found after pipeline finished |
|---|---|---|
| a.1 | MR merged automatically -> security leaks | It is ok, MR merged |
| a.2 | α. Users notice new vulnerabilities have been found, and they are confused: why there are new vulnerabilities? β.User didn't I fix all? If the user doesn't notice and lets the MR merged -> security leak |
It is ok, MR merged |
| b | User confused, why were new vulnerabilities found? Didn't I fix them? | It is ok, MR merged |
| c.1 | MR merged automatically, security leaks | It is ok, MR merged |
| c.2 | α. Users notice new vulnerabilities have been found, and they are confused: why there are vulnerabilities? It was good β. Users didn't I fix all? If the user doesn't notice and lets the MR merged -> security leak |
It is ok, MR merged |
| d | It is ok, check the vulnerabilities and move forward to either fix or ignore vulnerabilities to let MR merge | User confused! The policy was enabled, not it is not there anymore, someone removed it? system bug? |
Background: message from customer
We got direct ticket from the customer and slack messages from customer success, below is the screenshot of the slack message
I think what the customer reported is more like a d.2 in the table above
| - | - | - | - |
|---|---|---|---|
 |
 |
 |
 |
Potential solution
Let user wait for the pipeline to finish
Design: see the design area
Edited by Annabel Dunstone Gray