The Merge Monitor tool looks in public GitLab repositories that JiHu contributes to for merge requests that:
Any findings will be included in reports that are created as issues in the jihu_merge_request_monitor_reports repository. The Federal AppSec team is pinged on each report that is created and the expectation is that they will review each finding.
The Merge Monitor runs via scheduled pipeline. It de-duplicates any findings by checking for open Merge Monitor Report issues for related merge requests and filtering out any findings that are already known.
For each finding mentioned in a Merge Monitor report:
sec-planning::completelabel to the merge request
sec-planning::completelabel to the merge request, check the
AppSec review was not performed before mergeor
Review was performed but sec-planning label did not get applied
In the event that you find a vulnerability or other security concern in a finding:
Since the Merge Monitor uses a Project Access Token in the jihu_merge_request_monitor_reports, it can only be used to find merge requests in public repositories that the JiHu team contributes to. Some repositories require manual review as mentioned in the certification process documentation and are not covered by this tool. Contributions to these repositories are reviewed as part of the regular monthly release certification process.