From e9e33f890fe0892338a50c58f3f21dde40888662 Mon Sep 17 00:00:00 2001
From: Sashi Kumar Kumaresan <skumar@gitlab.com>
Date: Wed, 27 Aug 2025 13:45:13 +0200
Subject: [PATCH 1/2] Add merge_request branch exception bypass event

This change adds an event that is triggered
whenever an MR is bypassed by the branch exceptions in
security policies.

EE: true
Changelog: other
---
 .../ee/merge_requests/base_service.rb         |  7 +++++++
 ...merge_request_branch_exceptions_bypass.yml | 18 ++++++++++++++++
 ...merge_request_branch_exceptions_bypass.yml | 21 +++++++++++++++++++
 ...ty_policy_branch_bypass_shared_examples.rb | 14 +++++++++++++
 4 files changed, 60 insertions(+)
 create mode 100644 ee/config/events/check_merge_request_branch_exceptions_bypass.yml
 create mode 100644 ee/config/metrics/counts_all/count_distinct_value_from_check_merge_request_branch_exceptions_bypass.yml

diff --git a/ee/app/services/ee/merge_requests/base_service.rb b/ee/app/services/ee/merge_requests/base_service.rb
index a7e9b0390b25e7..a6ca25caff3b30 100644
--- a/ee/app/services/ee/merge_requests/base_service.rb
+++ b/ee/app/services/ee/merge_requests/base_service.rb
@@ -4,6 +4,7 @@ module EE
   module MergeRequests
     module BaseService
       extend ::Gitlab::Utils::Override
+      include ::Gitlab::InternalEventsTracking
 
       private
 
@@ -128,6 +129,12 @@ def audit_security_policy_branch_bypass(merge_request)
 
         return if matching_policies.empty?
 
+        track_internal_event('check_merge_request_branch_exceptions_bypass', project: merge_request.project,
+          additional_properties: {
+            value: merge_request.id
+          }
+        )
+
         matching_policies.each do |policy|
           log_audit_event_for_policy_bypass(merge_request, policy)
         end
diff --git a/ee/config/events/check_merge_request_branch_exceptions_bypass.yml b/ee/config/events/check_merge_request_branch_exceptions_bypass.yml
new file mode 100644
index 00000000000000..2c79c29abd39e8
--- /dev/null
+++ b/ee/config/events/check_merge_request_branch_exceptions_bypass.yml
@@ -0,0 +1,18 @@
+---
+description: Merge requests bypassed by branch exceptions in security policy
+internal_events: true
+status: active
+action: check_merge_request_branch_exceptions_bypass
+identifiers:
+- project
+- namespace
+additional_properties:
+  value:
+    description: merge_request_id
+product_group: security_policies
+product_categories:
+- security_policy_management
+milestone: '18.4'
+introduced_by_url: TODO
+tiers:
+- ultimate
diff --git a/ee/config/metrics/counts_all/count_distinct_value_from_check_merge_request_branch_exceptions_bypass.yml b/ee/config/metrics/counts_all/count_distinct_value_from_check_merge_request_branch_exceptions_bypass.yml
new file mode 100644
index 00000000000000..f087eaad5a9860
--- /dev/null
+++ b/ee/config/metrics/counts_all/count_distinct_value_from_check_merge_request_branch_exceptions_bypass.yml
@@ -0,0 +1,21 @@
+---
+key_path: redis_hll_counters.count_distinct_value_from_check_merge_request_branch_exceptions_bypass
+description: Count of unique merge requests bypassed by branch exceptions in security policies
+product_group: security_policies
+product_categories:
+- security_policy_management
+performance_indicator_type: []
+value_type: number
+status: active
+milestone: '18.4'
+introduced_by_url: TODO
+time_frame:
+- 28d
+- 7d
+data_source: internal_events
+data_category: optional
+tiers:
+- ultimate
+events:
+- name: check_merge_request_branch_exceptions_bypass
+  unique: value
diff --git a/ee/spec/support/shared_examples/services/merge_requests/audit_security_policy_branch_bypass_shared_examples.rb b/ee/spec/support/shared_examples/services/merge_requests/audit_security_policy_branch_bypass_shared_examples.rb
index 020d0448d05351..51e3fdfb89adfe 100644
--- a/ee/spec/support/shared_examples/services/merge_requests/audit_security_policy_branch_bypass_shared_examples.rb
+++ b/ee/spec/support/shared_examples/services/merge_requests/audit_security_policy_branch_bypass_shared_examples.rb
@@ -37,11 +37,25 @@
       )
       expect(event.entity).to eq(security_policy.security_policy_management_project)
     end
+
+    it 'tracks internal event', :clean_gitlab_redis_shared_state do
+      expect { execute }
+        .to trigger_internal_events('check_merge_request_branch_exceptions_bypass')
+        .with(project: merge_request.project, additional_properties: { value: merge_request.id })
+        .and increment_usage_metrics(
+          "redis_hll_counters." \
+            "count_distinct_value_from_check_merge_request_branch_exceptions_bypass_monthly"
+        )
+    end
   end
 
   context 'when security policy does not exist with branch bypass' do
     it 'does not create an audit event' do
       expect { execute }.not_to change { AuditEvent.count }
     end
+
+    it 'does not track internal event for branch exceptions bypass' do
+      expect { execute }.not_to trigger_internal_events('check_merge_request_branch_exceptions_bypass')
+    end
   end
 end
-- 
GitLab


From 87127eb18bf3065364747efe17c965f458ac50ad Mon Sep 17 00:00:00 2001
From: Sashi Kumar Kumaresan <skumar@gitlab.com>
Date: Wed, 27 Aug 2025 14:10:24 +0200
Subject: [PATCH 2/2] Update introduced_by_url in definitions

---
 .../events/check_merge_request_branch_exceptions_bypass.yml     | 2 +-
 ..._value_from_check_merge_request_branch_exceptions_bypass.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ee/config/events/check_merge_request_branch_exceptions_bypass.yml b/ee/config/events/check_merge_request_branch_exceptions_bypass.yml
index 2c79c29abd39e8..1abc81bedde7c4 100644
--- a/ee/config/events/check_merge_request_branch_exceptions_bypass.yml
+++ b/ee/config/events/check_merge_request_branch_exceptions_bypass.yml
@@ -13,6 +13,6 @@ product_group: security_policies
 product_categories:
 - security_policy_management
 milestone: '18.4'
-introduced_by_url: TODO
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/202917
 tiers:
 - ultimate
diff --git a/ee/config/metrics/counts_all/count_distinct_value_from_check_merge_request_branch_exceptions_bypass.yml b/ee/config/metrics/counts_all/count_distinct_value_from_check_merge_request_branch_exceptions_bypass.yml
index f087eaad5a9860..736f4247d938a1 100644
--- a/ee/config/metrics/counts_all/count_distinct_value_from_check_merge_request_branch_exceptions_bypass.yml
+++ b/ee/config/metrics/counts_all/count_distinct_value_from_check_merge_request_branch_exceptions_bypass.yml
@@ -8,7 +8,7 @@ performance_indicator_type: []
 value_type: number
 status: active
 milestone: '18.4'
-introduced_by_url: TODO
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/202917
 time_frame:
 - 28d
 - 7d
-- 
GitLab