policy name: repository_allows_overriding_approvers
severity: MEDIUM
A repository should not allow merge request authors to freely edit the list of required approvers. To enforce code review only by authorized personnel, the option to override the list of valid approvers for the merge request must be toggled off.
Users can merge code without being reviewed which can lead to insecure code reaching the main branch and production.
- Make sure you have admin permissions
- Go to the repo's settings page
- Enter "Merge Requests" tab
- Under "Approval settings"
- Check "Prevent editing approval rules in merge requests"
- Click "Save Changes"