From 9c5e0021c1eeb9ed050615105860a097f792cd2a Mon Sep 17 00:00:00 2001 From: Russell Dickenson <rdickenson@gitlab.com> Date: Fri, 30 Aug 2024 00:37:47 +0000 Subject: [PATCH] Apply 1 suggestion(s) to 1 file(s) Co-authored-by: Ryan Lehmann <rlehmann@gitlab.com> --- .../application_security/policies/index.md | 14 +------ .../merge_request_approval_policies.md | 42 ++++++++++++++----- 2 files changed, 32 insertions(+), 24 deletions(-) diff --git a/doc/user/application_security/policies/index.md b/doc/user/application_security/policies/index.md index 219947ff9435..0febad5c917c 100644 --- a/doc/user/application_security/policies/index.md +++ b/doc/user/application_security/policies/index.md @@ -350,21 +350,12 @@ When working with security policies, consider these troubleshooting tips: Security Policies are designed to require approval when there are no results (no security report), as this ensures that no vulnerabilities are introduced. We cannot know if there are any vulnerabilities unless the scans enforced by the policy complete successfully and are evaluated. -- For merge request approval policies, we require artifacts for each scanner defined in the policy - for both the source and target branch. To ensure merge request approval policies capture the - necessary results, confirm your scan execution is properly implemented and enforced. If using scan - execution policies, enforcing on `all branches` often addresses this need. -- Comparison in merge request approval policies depends on a successful and completed merge base - pipeline. If the merge base pipeline is [skipped](../../../ci/pipelines/index.md#skip-a-pipeline), - merge requests with the merge base pipeline are blocked. - When running scan execution policies based on a SAST action, ensure target repositories contain proper code files. SAST runs different analyzers [based on the types of files in the repository](../sast/index.md#supported-languages-and-frameworks), and if no supported files are found it does not run any jobs. See the [SAST CI template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml) for more details. -- Merge request approval policies created at the group or subgroup level can take some time to apply - to all the merge requests in the group. - Scheduled scan execution policies run with a minimum 15 minute cadence. Learn more [about the schedule rule type](../policies/scan_execution_policies.md#schedule-rule-type). - When scheduling pipelines, keep in mind that CRON scheduling is based on UTC on GitLab SaaS and is @@ -378,9 +369,6 @@ When working with security policies, consider these troubleshooting tips: rules from the merge request approval policies not being applied to merge requests in the development project. - When creating a merge request approval policy, neither the array `severity_levels` nor the array `vulnerability_states` in the [`scan_finding` rule](../policies/merge_request_approval_policies.md#scan_finding-rule-type) - can be left empty. For a working rule, at least one entry must exist. -- When merge request approval policies are enforced on projects containing manual jobs in their - pipeline, policies evaluate the completed pipeline jobs and ignore the manual jobs. When the - manual jobs are run, the policy re-evaluates the MR. + can be left empty. For a working rule, at least one entry must exist for each array. If you are still experiencing issues, you can [view recent reported bugs](https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=popularity&state=opened&label_name%5B%5D=group%3A%3Asecurity%20policies&label_name%5B%5D=type%3A%3Abug&first_page_size=20) and raise new unreported issues. diff --git a/doc/user/application_security/policies/merge_request_approval_policies.md b/doc/user/application_security/policies/merge_request_approval_policies.md index 36d8cf168022..f6b7767a0758 100644 --- a/doc/user/application_security/policies/merge_request_approval_policies.md +++ b/doc/user/application_security/policies/merge_request_approval_policies.md @@ -20,9 +20,6 @@ Use merge request approval policies to enforce project-level settings and approv result policy is a security approval policy that allows approval to be required based on the findings of one or more security scan jobs. Merge request approval policies are evaluated after a CI scanning job is fully executed and both vulnerability and license type policies are evaluated based on the job artifact reports that are published in the completed pipeline. -NOTE: -Merge request approval policies are applicable only to [protected](../../project/protected_branches.md) target branches. - NOTE: When a protected branch is created or deleted, the policy approval rules synchronize, with a delay of 1 minute. @@ -35,14 +32,37 @@ The following video gives you an overview of GitLab merge request approval polic <iframe src="https://www.youtube-nocookie.com/embed/w5I9gcUgr9U" frameborder="0" allowfullscreen> </iframe> </figure> -## Requirements and limitations - -- You must add the respective [security scanning tools](../index.md#application-coverage). - Otherwise, merge request approval policies cannot get evaluated and the corresponding approvals stay required. -- The maximum number of merge request approval policies is five per security policy project. -- Each policy can have a maximum of five rules. -- All configured scanners must be present in the merge request's latest pipeline. If not, approvals are required even if some vulnerability criteria have not been met. -- Merge request approval policies evaluate findings and determine approval requirements based on the job artifact reports published in a completed pipeline. However, merge request approval policies do not check the integrity or authenticity of the scan results generated in the artifact reports. +## Restrictions + +- You can enforce merge request approval policies only on [protected](../../project/protected_branches.md) + target branches. +- You can assign a maximum of five rules to each policy. +- You can assign a maximum of five merge request approval policies to each security policy project. +- Policies created for a group or subgroup can take some time to apply to all the merge requests in + the group. +- Merge request approval policies do not check the integrity or authenticity of the scan results + generated in the artifact reports. +- A merge request approval policy is evaluated according to its rules. By default, if the rules are + invalid, or can't be evaluated, approval is required. You can change this behavior with the + [`fallback_behavior` field](#fallback_behavior). + +## Pipeline requirements + +A merge request approval policy is enforced according to the outcome of the pipeline. Consider the +following when implementing a merge request approval policy: + +- A merge request approval policy evaluates completed pipeline jobs, ignoring manual jobs. When the + manual jobs are run, the policy re-evaluates the merge request's jobs. +- All configured scanners must be present in the merge request's latest pipeline. If not, approvals + are required even if some vulnerability criteria have not been met. +- The pipeline must produce artifacts for all enabled scanners, for both the source and target + branches. If not, there's no basis for comparison and so the policy can't be evaluated. You should + use a scan execution policy to enforce this requirement. +- Policy evaluation depends on a successful and completed merge base pipeline. If the merge base + pipeline is skipped, merge requests with the merge base pipeline are blocked. +- Security scanners specified in a policy must be configured and enabled in the projects on which + the policy is enforced. If not, the merge request approval policy cannot be evaluated and the + corresponding approvals are required. ## Merge request with multiple pipelines -- GitLab