ISSUE-504 High Quick Access and Authorization
No merge request approval rule covering all protected branches
Control: An MR approval rule must be defined to cover all protected branches · Config key: mrApprovalRuleMustCoverAllProtectedBranches
📋 What is this?
There is no merge request approval rule configured in the project that applies to all protected branches.
⚠️ Impact
Without at least one approval rule for protected branches, they lack the necessary review process, increasing the likelihood of unauthorized or insecure changes being merged.
🔧 How to fix
Create a merge request approval rule in the project that covers all protected branches.
✗ Before No approval rule covers all protected branches — some branches can be merged without review.
# GitLab project settings — ❌ No approval rule for all branches# Settings > Merge requests > Approval rules:## Rule: "QA Team" → applies to: main# Rule: "Dev Team" → applies to: develop## There is no rule that applies to ALL protected branches.# Branches like release/* have no approval requirement.✓ After An approval rule covering all protected branches ensures consistent review.
# GitLab project settings — ✅ Approval rule covers all protected branches# Settings > Merge requests > Approval rules:## Rule: "All Approvals" → applies to: All protected branches# Eligible approvers: Maintainers# Approvals required: 1## .plumber.yamlcontrols: mrApprovalRuleMustCoverAllProtectedBranches: enabled: true💡 Tips
- Create one 'catch-all' rule that targets all protected branches as a baseline.
- You can add additional branch-specific rules on top of the catch-all rule.
- This control complements ISSUE-502 (minimum approvals) for a complete review policy.
⚙️ Configuration
This control is configured in .plumber.yaml under the key:
controls:
mrApprovalRuleMustCoverAllProtectedBranches:
enabled: trueSee the CLI documentation for the full configuration reference.