Tutorial: Set up a merge request approval policy

Tier: Ultimate Offering: GitLab.com, Self-managed, GitLab Dedicated

This tutorial shows you how to create and configure a merge request approval policy. These policies can be set to take action based on scan results. For example, in this tutorial, you’ll set up a policy that requires approval from two specified users if a vulnerability is detected in a merge request.

To set up a merge request approval policy:

  1. Create a test project.
  2. Add a merge request approval policy.
  3. Test the merge request approval policy.

Before you begin

The namespace used for this tutorial must:

  • Contain a minimum of three users, including your own. If you don’t have two other users, you must first create them. For details, see Creating users.

Create a test project

  1. On the left sidebar, at the top, select Create new () and New project/repository.
  2. Select Create blank project.
  3. Complete the fields.
    • Project name: sast-scan-result-policy.
    • Select the Enable Static Application Security Testing (SAST) checkbox.
  4. Select Create project.
  5. Go to the newly created project and create protected branches.

Add a merge request approval policy

Next, you’ll add a merge request approval policy to your test project:

  1. On the left sidebar, select Search or go to and find the sast-scan-result-policy project.
  2. Select Secure > Policies.
  3. Select New policy.
  4. In Merge request approval policy, select Select policy.
  5. Complete the fields.
    • Name: sast-scan-result-policy
    • Policy status: Enabled
  6. Add the following rule:

    IF |Security Scan| from |SAST| find(s) more than |0| |All severity levels| |All vulnerability states| vulnerabilities in an open merge request targeting |All protected branches|
    
  7. Set Actions to the following:

    THEN Require approval from | 2 | of the following approvers:
    
  8. Select two users.
  9. Select Configure with a merge request.

    The application creates a new project to store the policies linked to it, and creates a merge request to define the policy.

  10. Select Merge.
  11. On the left sidebar, select Search or go to and find the sast-scan-result-policy project.
  12. Select Secure > Policies.

    You can see the list of policies added in the previous steps.

Test the merge request approval policy

Nice work, you’ve created a merge request approval policy. To test it, create some vulnerabilities and check the result:

  1. On the left sidebar, select Search or go to and find the sast-scan-result-policy project.
  2. Select Code > Repository.
  3. From the Add () dropdown list, select New file.
  4. In the Filename field enter main.ts.
  5. In the file’s content, copy the following:

    // Non-literal require - tsr-detect-non-literal-require
    var lib: String = 'fs'
    require(lib)
    
    // Eval with variable - tsr-detect-eval-with-expression
    var myeval: String = 'console.log("Hello.");';
    eval(myeval);
    
    // Unsafe Regexp - tsr-detect-unsafe-regexp
    const regex: RegExp = /(x+x+)+y/;
    
    // Non-literal Regexp - tsr-detect-non-literal-regexp
    var myregexpText: String = "/(x+x+)+y/";
    var myregexp: RegExp = new RegExp(myregexpText);
    myregexp.test("(x+x+)+y");
    
    // Markup escaping disabled - tsr-detect-disable-mustache-escape
    var template: Object = new Object;
    template.escapeMarkup = false;
    
    // Detects HTML injections - tsr-detect-html-injection
    var element: Element =  document.getElementById("mydiv");
    var content: String = "mycontent"
    Element.innerHTML = content;
    
    // Timing attack - tsr-detect-possible-timing-attacks
    var userInput: String = "Jane";
    var auth: String = "Jane";
    if (userInput == auth) {
      console.log(userInput);
    }
    
  6. In the Commit message field, enter Add vulnerable file.
  7. In the Target Branch field, enter test-branch.
  8. Select Commit changes. The New merge request form opens.
  9. Select Create merge request.
  10. In the new merge request, select Create merge request.

    Wait for the pipeline to complete. This could be a few minutes.

The merge request security widget confirms that security scanning detected one potential vulnerability. As defined in the merge request approval policy, the merge request is blocked and waiting for approval.

You now know how to set up and use merge request approval policies to catch vulnerabilities!