Skip to content

Sync MR approvals after dismissing finding for MR

Alan (Maciej) Paruszewskirequested to merge
560563-sync-mr-approvals-after-dismissing-vulnerability into master

What does this MR do and why?

This MR implements automatic synchronization of merge request approvals when security vulnerabilities are dismissed, addressing a critical workflow issue where MR approval policies don't get re-evaluated after vulnerability state changes.

Problem Statement

Currently, when developers dismiss vulnerabilities in an MR (marking them as false positives or creating issues to track them), the MR approval policies are not automatically re-evaluated. This forces developers to manually re-run the entire pipeline just to trigger policy re-evaluation, even though no new security findings will be discovered. This creates:

  • Developer frustration: Unnecessary waiting for redundant pipeline runs
  • Resource waste: Running full pipelines without adding value
  • Workflow friction: Delays in MR delivery
  • Reduced trust: In GitLab security automation

Solution

This MR adds automatic MR approval synchronization when vulnerabilities are dismissed by:

  1. Scheduling a background worker (Security::ScanResultPolicies::SyncMergeRequestApprovalsWorker) when vulnerabilities are dismissed
  2. Using a 1-minute delay to allow for deduplication when multiple findings are dismissed simultaneously
  3. Only triggering for MRs that have associated pipelines with merge requests
  4. Feature flag protection (sync_mr_approvals_on_vulnerability_dismiss) for safe rollout

Implementation Details

  • Service Updated: Security::Findings::DismissService now calls schedule_sync_merge_request_approvals_worker
  • Feature Flag: gitlab_com_derisk type for safe deployment and performance monitoring
  • Worker Scheduling: 1-minute delay prevents duplicate work when multiple vulnerabilities are dismissed
  • Comprehensive Tests: Covers all scenarios including feature flag states, pipeline associations, and error conditions

Performance Considerations

  • Scoped Impact: Only affects MRs with newly introduced vulnerabilities (single pipeline association)
  • Deduplication: 1-minute delay allows batching of multiple dismissals
  • Background Processing: Uses Sidekiq worker to avoid blocking the dismissal action
  • Feature Flag: Allows immediate rollback if performance issues arise

Changelog: changed EE: true

References

Closes #560563

Screenshots or screen recordings

Before After
Developers must manually re-run pipelines after dismissing vulnerabilities to trigger policy re-evaluation MR approval policies are automatically re-evaluated within 1 minute of vulnerability dismissal

How to set up and validate locally

  1. Enable the feature flag in rails console:

    Feature.enable(:sync_mr_approvals_on_vulnerability_dismiss)

  2. Create a project with security scan result policies that include new_dismissed vulnerability states

  3. Create an MR that introduces security vulnerabilities

  4. Dismiss one or more vulnerabilities from the security findings

  5. Verify that the Security::ScanResultPolicies::SyncMergeRequestApprovalsWorker is scheduled:

    # Check scheduled jobs
Sidekiq::ScheduledSet.new.select { |job| job.klass == 'Security::ScanResultPolicies::SyncMergeRequestApprovalsWorker' }

  6. Wait 1 minute or manually execute the worker to see MR approval status update

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #560563

Edited by Alan (Maciej) Paruszewski

Merge request reports