Ensure requiring user password to approve

By default, users who commit to a merge request can still approve it. You can prevent committers from approving merge requests that are partially their own at both the project level or instance level.

Risk Level: medium
Platform: Gitlab
Spectral Rule ID: GL-HRD004

REMEDIATION

To do this:

SaaS:

Enable password authentication for the web interface, as described here.
Go to your project and select Settings > General.
Expand Merge request (MR) approvals.
Select the "Require user password to approve" checkbox.
Select Save changes.

Read more:

https://docs.gitlab.com/ee/user/project/merge_requests/approvals/settings.html#require-user-password-to-approve

Updated about 1 year ago