Projects should set ResetApprovalsOnPush = true so that any new commit pushed to a merge request invalidates prior approvals and forces a fresh review. Without this gate, an attacker (or accidental rewrite) could add malicious code to an already-approved MR and merge it without re-review, defeating the purpose of code review entirely. This setting is available on every GitLab tier. Reference: https://docs.gitlab.com/ee/user/project/merge_requests/approvals/settings.html#reset-approvals-on-push
1. In GitLab, navigate to the project: Settings > Merge requests. 2. Expand the 'Approval settings' section. 3. Enable 'Remove all approvals when commits are added to the source branch'. 4. Save changes. 5. Inform reviewers that previously-approved MRs with new commits will require fresh approval.
{
"target": "GLProjectMergeRequestApproval",
"if": {
"allOf": [
{
"resource": "GLProjectMergeRequestApproval",
"property": "ResetApprovalsOnPush",
"operator": "equals",
"value": true
}
]
},
"then": {
"effect": "Audit"
}
}Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions | v1.0.2