cmavromichalis
commented
2 years ago Maybe this is a matter of preference and developers should wait for SAST jobs to finish before assigning to marge-bot but seems like marge-bot should handle this imo.
Closed cmavromichalis closed 2 years ago
cmavromichalis
commented
2 years ago Maybe this is a matter of preference and developers should wait for SAST jobs to finish before assigning to marge-bot but seems like marge-bot should handle this imo.
cmavromichalis
commented
2 years ago Vulnerability Check is being deprecated and replaced by security approval policies in GitLab 15.0 https://docs.gitlab.com/ee/user/application_security/policies/scan-result-policies
Will close this
On our GitLab instance we are using SAST and use the Vulnerability-Check group that GitLab creates from using SAST.
We have noticed that sometimes a developer will assign a merge request to marge-bot and marge-bot will report:
I couldn't merge this branch: Insufficient approvals (have: ['joeuser'] missing: 1)marge-bot will only report this if SAST checks are running. The developer has to wait for SAST checks to complete and then assign it to marge-bot again.
If SAST checks complete in time and are passing marge-bot will merge the merge request no problem. This feels like a race-condition.
It would be nice if marge-bot had this ability to wait for Vulnerability-Checks.