From f23b63d13f79152e37b0f0c69867e7f929564609 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20C=CC=8Cavoj?= Date: Fri, 10 Oct 2025 17:35:32 +0200 Subject: [PATCH 1/2] Document discrepancies between security widget and bot comment Changelog: changed --- .../merge_request_approval_policies.md | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/doc/user/application_security/policies/merge_request_approval_policies.md b/doc/user/application_security/policies/merge_request_approval_policies.md index 3a8d050ed6e52f..d3672cc6b7825a 100644 --- a/doc/user/application_security/policies/merge_request_approval_policies.md +++ b/doc/user/application_security/policies/merge_request_approval_policies.md @@ -922,6 +922,38 @@ merge request is updated, but not immediately when the vulnerability state chang To reflect vulnerability state changes in the policies immediately manually run the pipeline or push a new commit to the merge request. +## Understanding security widget and policy bot discrepancies + +You may notice inconsistencies between what the merge request security widget displays and what the security bot comments indicate regarding vulnerabilities. These differences occur because these features currently use different data sources and comparison methods for security findings. + +### Why the differences exist + +#### Different data sources + +- **MR Security Widget**: Compares results from the latest source branch pipeline with vulnerabilities previously stored in the database for the default branch. +- **Security Bot (and Approval Policy Logic)**: Compares results between actual pipeline artifacts - specifically between the latest successful target branch pipeline and the latest successful source branch pipeline. + +This fundamental difference in data sources can lead to inconsistent behavior in several scenarios. + +### Common scenarios where inconsistencies occur + +#### Missing or failed security scans in target branch + +When the latest pipeline on your target branch fails to run security scans properly (perhaps due to misconfiguration or job failures), the security bot might report new findings and require approval as a precautionary measure because it cannot compare results effectively. Meanwhile, the security widget might show no new vulnerabilities because it relies on previously stored vulnerability data. + +#### Changes in target branch between comparisons + +If there are multiple commits on the target branch that change the security profile between when the widget makes its comparison and when the bot makes its comparison, results can differ. + +### Best practices for consistent results + +To minimize confusion when using these security features: + +1. **Ensure complete pipeline execution**: Make sure security scans complete successfully on both source and target branches. +1. **Maintain consistent CI configuration**: Avoid removing or breaking security scan configurations in your pipeline. +1. **For new projects**: Run a security scan on the default branch before creating merge requests to establish baseline vulnerability data. +1. **Consider using scan execution policies**: When combined with merge request approval policies, they help ensure security scans always run where needed. + ## Troubleshooting ### Merge request rules widget shows a merge request approval policy is invalid or duplicated -- GitLab From 1de377cdc5ec9cd5751ca2e81e023a4cd936a43a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20=C4=8Cavoj?= Date: Mon, 13 Oct 2025 13:30:49 +0200 Subject: [PATCH 2/2] Apply 6 suggestion(s) to 1 file(s) Co-authored-by: Ryan Lehmann --- .../merge_request_approval_policies.md | 24 +++++++++---------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/doc/user/application_security/policies/merge_request_approval_policies.md b/doc/user/application_security/policies/merge_request_approval_policies.md index d3672cc6b7825a..319dd957119108 100644 --- a/doc/user/application_security/policies/merge_request_approval_policies.md +++ b/doc/user/application_security/policies/merge_request_approval_policies.md @@ -924,22 +924,20 @@ manually run the pipeline or push a new commit to the merge request. ## Understanding security widget and policy bot discrepancies -You may notice inconsistencies between what the merge request security widget displays and what the security bot comments indicate regarding vulnerabilities. These differences occur because these features currently use different data sources and comparison methods for security findings. +You may notice inconsistencies between what the merge request security widget displays and what the security bot comments indicate regarding vulnerabilities. These features use different data sources and comparison methods for security findings, which can result in differences in what they display. -### Why the differences exist +Data sources: -#### Different data sources - -- **MR Security Widget**: Compares results from the latest source branch pipeline with vulnerabilities previously stored in the database for the default branch. -- **Security Bot (and Approval Policy Logic)**: Compares results between actual pipeline artifacts - specifically between the latest successful target branch pipeline and the latest successful source branch pipeline. - -This fundamental difference in data sources can lead to inconsistent behavior in several scenarios. +- **Merge request security widget**: Compares results from the latest source branch pipeline with vulnerabilities previously stored in the database for the default branch. +- **Security Bot (and approval policy logic)**: Compares results between actual pipeline artifacts, specifically between the latest successful target branch pipeline and the latest successful source branch pipeline. ### Common scenarios where inconsistencies occur +The difference in data sources can lead to inconsistent behavior in several scenarios. + #### Missing or failed security scans in target branch -When the latest pipeline on your target branch fails to run security scans properly (perhaps due to misconfiguration or job failures), the security bot might report new findings and require approval as a precautionary measure because it cannot compare results effectively. Meanwhile, the security widget might show no new vulnerabilities because it relies on previously stored vulnerability data. +When the latest pipeline on your target branch fails to run security scans properly (for example, due to a misconfiguration or job failures), the security bot might report new findings and require approval as a precautionary measure because it cannot compare results effectively. Meanwhile, the security widget might show no new vulnerabilities because it uses previously stored vulnerability data. #### Changes in target branch between comparisons @@ -949,10 +947,10 @@ If there are multiple commits on the target branch that change the security prof To minimize confusion when using these security features: -1. **Ensure complete pipeline execution**: Make sure security scans complete successfully on both source and target branches. -1. **Maintain consistent CI configuration**: Avoid removing or breaking security scan configurations in your pipeline. -1. **For new projects**: Run a security scan on the default branch before creating merge requests to establish baseline vulnerability data. -1. **Consider using scan execution policies**: When combined with merge request approval policies, they help ensure security scans always run where needed. +- Ensure complete pipeline execution: Make sure security scans complete successfully on both source and target branches. +- Maintain consistent CI/CD configuration: Avoid removing or breaking security scan configurations in your pipeline. +- For new projects: Run a security scan on the default branch before creating merge requests to establish baseline vulnerability data. +- Consider using scan execution policies: When combined with merge request approval policies, they help ensure security scans always run where needed. ## Troubleshooting -- GitLab