[go: up one dir, main page]

Draft: Update MR widget to show bypassed policies

Alexander Turinskerequested to merge
561650-update-mr-widget-for-bypassed-policies into master

What does this MR do and why?

Update MR widget to show bypassed policies

  • explicitly say policies are bypassed

Changelog: added

EE: true

References

Screenshots or screen recordings

Scenario After
Bypassed policy image

How to set up and validate locally

  1. Upload a GitLab Ultimate license
  2. Enable the security_policy_approval_warn_mode feature flag in http://gdk.test:3443/rails/features
  3. Create a ruby project (use ruby template) with SAST enabled (easiest scanner to enable)
  4. Install and run gitlab runners in your gdk (instructions)
  5. Navigate to the new project => Secure => Policies => New policy => Merge request approval policy
  6. Create a policy that is enforced
Enforce policy 
approval_policy:
  - name: Prevent Critical Vulnerabilities
    description: This is to prevent Critical/High Vulnerabilities from getting merged
    enabled: true
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers:
          - maintainer
          - developer
          - owner
    rules:
      - type: scan_finding
        scanners: []
        vulnerabilities_allowed: 0
        severity_levels: []
        vulnerability_states: []
        branch_type: protected
    approval_settings:
      block_branch_modification: false
      prevent_pushing_and_force_pushing: false
      prevent_approval_by_author: false
      prevent_approval_by_commit_author: false
      remove_approvals_with_new_commit: true
      require_password_to_approve: false
    fallback_behavior:
      fail: open
  1. Create a policy that is not enforced (warn policy)
Warn policy 
approval_policy:
- name: Warn - Prevent SAST vulnerabilities
  description: Security Scan
  enabled: true
  enforcement_type: "warn"
  rules:
  - type: scan_finding
    scanners:
    - sast
    vulnerabilities_allowed: 0
    severity_levels: []
    vulnerability_states: []
    branch_type: protected
  actions:
  - type: require_approval
    approvals_required: 1
    role_approvers:
    - developer
    - maintainer
    - owner
  - type: send_bot_message
    enabled: true
  approval_settings:
    block_branch_modification: false
    prevent_pushing_and_force_pushing: false
    prevent_approval_by_author: false
    prevent_approval_by_commit_author: false
    remove_approvals_with_new_commit: false
    require_password_to_approve: false
  fallback_behavior:
    fail: open
  1. Create an MR in the new project with vulnerable code
vulnerable_code.rb 
input = gets.chomp
eval("puts \#{input}")

job = params[:job]
eval(job)
  1. Verify the MR widget shows that policies are being violated
  2. Verify the dismiss button appears
  3. Verify clicking the Bypass button brings up a modal
  4. Verify the user can select the warn policy
  5. Click the Bypass button
  6. Verify the modal is closed

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #561650 (closed)

Edited by Alexander Turinske

Merge request reports