DOS6060

Project should require at least one approval before merge

DOS6060

GitLab organization Severityhigh builtIn

Description

Merge requests in a project should require at least one approval before they can be merged. Setting ApprovalsBeforeMerge to zero (or leaving it null) means any developer with write access can merge their own MR without review, which violates separation-of-duties and bypasses code review controls. On Free tier, the project carries a single approval rule; Premium and Ultimate add multi-rule support, but the top-level ApprovalsBeforeMerge gate still applies on every tier. Reference: https://docs.gitlab.com/ee/user/project/merge_requests/approvals/settings.html

Recommendation

1. In GitLab, navigate to the project: Settings > Merge requests. 2. Expand the 'Merge request approvals' section. 3. Set 'Approvals required' to a value greater than 0 (typically 1 or 2 depending on team size). 4. Save changes. 5. Optionally configure 'Prevent author approval' and 'Prevent committers from approval' for stricter separation-of-duties.

Policy Rule

{
  "target": "GLProjectMergeRequestApproval",
  "if": {
    "allOf": [
      {
        "resource": "GLProjectMergeRequestApproval",
        "property": "ApprovalsBeforeMerge",
        "operator": "greaterThan",
        "value": 0
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS6059 DOS6061 »
Rule Details
  • Rule ID: DOS6060
  • Code: GL_Project_Approvals_Required_Should_Be_GreaterThan_Zero
  • Platform: GitLab
  • Category: organization
  • Severity: Severityhigh
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions | v1.0.2