To enable the `Vulnerability-Check` or `License-Check` Security Approvals, a [project approval rule](../project/merge_requests/approvals/rules.md#adding--editing-a-default-approval-rule)
To enable the `Vulnerability-Check` or `License-Check` Security Approvals, a [project approval rule](../project/merge_requests/approvals/rules.md#add-an-approval-rule)
must be created. A [security scanner job](#security-scanning-tools) must be enabled for
`Vulnerability-Check`, and a [license scanning](../compliance/license_compliance/index.md#configuration)
job must be enabled for `License-Check`. When the proper jobs aren't configured, the following
-[At the instance level](../../../admin_area/merge_requests_approvals.md)
If no approval rules are defined, any user can approve a merge request. However, the default
minimum number of required approvers can still be set in the
[settings for merge request approvals](settings.md).
If you don't define a [default approval rule](#add-an-approval-rule),
any user can approve a merge request. Even if you don't define a rule, you can still
enforce a [minimum number of required approvers](settings.md) in the project's settings.
You can opt to define one single rule to approve a merge request among the available rules
or choose more than one with [multiple approval rules](#multiple-approval-rules).
You can define a single rule to approve merge requests from among the available
rules, or you can select [multiple approval rules](#add-multiple-approval-rules).
NOTE:
On GitLab.com, you can add a group as an approver if you're a member of that group or the
group is public.
Merge requests that target a different project, such as from a fork to the upstream project,
use the default approval rules from the target (upstream) project, not the source (fork).
## Eligible Approvers
## Add an approval rule
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10294) in GitLab 13.3, when an eligible approver comments on a merge request, it appears in the **Commented by** column of the Approvals widget.
To add a merge request approval rule:
The following users can approve merge requests:
1. Go to your project and select **Settings > General**.
1. Expand **Merge request (MR) approvals**, and then select **Add approval rule**.
1. Add a human-readable **Rule name**.
1. Set the number of required approvals in **Approvals required**. A value of `0` makes
[the rule optional](#configure-optional-approval-rules), and any number greater than `0`
creates a required rule.
1. To add users or groups as approvers, search for users or groups that are
[eligible to approve](#eligible-approvers), and select **Add**. GitLab suggests approvers based on
previous authors of the files changed by the merge request.
- Users who have been added as approvers at the project or merge request levels with
developer or higher [permissions](../../../permissions.md).
-[Code owners](#code-owners-as-eligible-approvers) of the files changed by the merge request
that have developer or higher [permissions](../../../permissions.md).
NOTE:
On GitLab.com, you can add a group as an approver if you're a member of that group or the
group is public.
An individual user can be added as an approver for a project if they are a member of:
1. Select **Add approval rule**.
- The project.
- The project's immediate parent group.
- A group that has access to the project via a [share](../../members/share_project_with_groups.md).
Users of GitLab Premium and higher tiers can create [additional approval rules](#add-multiple-approval-rules).
A group of users can also be added as approvers, though they only count as approvers if
they have direct membership to the group. In the future, group approvers may be
[restricted to only groups with share access to the project](https://gitlab.com/gitlab-org/gitlab/-/issues/2048).
Your configuration for approval rule overrides determines if the new rule is applied
to existing merge requests:
If a user is added as an individual approver and is also part of a group approver,
then that user is just counted once. The merge request author, and users who have committed
to the merge request, do not count as eligible approvers,
if [**Prevent author approval**](settings.md#allowing-merge-request-authors-to-approve-their-own-merge-requests)(enabled by default)
and [**Prevent committers approval**](settings.md#prevent-approval-of-merge-requests-by-their-committers)(disabled by default)
are enabled on the project settings.
- If [approval rule overrides](settings.md#prevent-overriding-default-approvals) are allowed,
changes to these default rules are not applied to existing merge requests, except for
changes to the [target branch](#approvals-for-protected-branches) of the rule.
- If approval rule overrides are not allowed, all changes to default rules
are applied to existing merge requests. Any approval rules that were previously
manually [overridden](#edit-or-override-merge-request-approval-rules) during the
period when approval rule overrides where allowed, are not modified.
When an eligible approver comments on a merge request, it displays in the
**Commented by** column of the Approvals widget. It indicates who participated in
the merge request review. Authors and reviewers can also identify who they should reach out
to if they have any questions about the content of the merge request.
## Edit an approval rule
### Implicit Approvers
To edit a merge request approval rule:
If the number of required approvals is greater than the number of assigned approvers,
approvals from other users counts towards meeting the requirement. These would be
users with developer [permissions](../../../permissions.md) or higher in the project who
were not explicitly listed in the approval rules.
1. Go to your project and select **Settings > General**.
1. Expand **Merge request (MR) approvals**, and then select **Edit**.
1. (Optional) Change the **Rule name**.
1. Set the number of required approvals in **Approvals required**. The minimum value is `0`.
1. Add or remove eligible approvers, as needed:
-*To add users or groups as approvers,* search for users or groups that are
[eligible to approve](#eligible-approvers), and select **Add**.
### Code Owners as eligible approvers
NOTE:
On GitLab.com, you can add a group as an approver if you're a member of that group or the
group is public.
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/7933) in GitLab 11.5.
> - Moved to GitLab Premium in 13.9.
-*To remove users or groups,* identify the group or user to remove, and
select **{remove}****Remove**.
1. Select **Update approval rule**.
If you add [Code Owners](../../code_owners.md) to your repository, the owners to the
corresponding files become eligible approvers, together with members with Developer
or higher [permissions](../../../permissions.md).
## Add multiple approval rules **(PREMIUM)**
To enable this merge request approval rule:
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/1979) in GitLab Premium 11.10.
1. Navigate to your project's **Settings > General** and expand
**Merge request (MR) approvals**.
1. Locate **Any eligible user** and choose the number of approvals required.
In GitLab Premium and higher tiers, you can enforce multiple approval rules on a
merge request, and multiple default approval rules for a project. If your tier
supports multiple default rules:
- When [adding](#add-an-approval-rule) or [editing](#edit-an-approval-rule) an approval rule
for a project, GitLab displays the **Add approval rule** button even after a rule is defined.
- When editing or overriding multiple approval rules
[on a merge request](#edit-or-override-merge-request-approval-rules), GitLab
displays the **Add approval rule** button even after a rule is defined.
Once set, merge requests can only be merged once approved by the
number of approvals you've set. GitLab accepts approvals from
users with Developer or higher permissions, as well as by Code Owners,
indistinguishably.
When an [eligible approver](#eligible-approvers) approves a merge request, it
reduces the number of approvals left (the **Approvals** column) for all rules that the approver belongs to:
Alternatively, you can **require**
[Code Owner's approvals for protected branches](../../protected_branches.md#protected-branches-approval-by-code-owners). **(PREMIUM)**
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/40491) in GitLab 13.4.
> - Moved to Premium in 13.9.
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10294) in GitLab 13.3, when an eligible approver comments on a merge request, it appears in the **Commented by** column of the Approvals widget.
Managers or operators with [Reporter permissions](../../../permissions.md#project-members-permissions)
to a project sometimes need to be required approvers of a merge request,
before a merge to a protected branch begins. These approvers aren't allowed
to push or merge code to any branches.
To be eligible as an approver for a project, a user must be a member of one or
more of these:
To enable this access:
- The project.
- The project's immediate parent [group](#group-approvers).
- A group that has access to the project via a [share](../../members/share_project_with_groups.md).
- A [group added as approvers](#group-approvers).
1.[Create a new group](../../../group/index.md#create-a-group), and then
[add the user to the group](../../../group/index.md#add-users-to-a-group),
ensuring you select the Reporter role for the user.
1.[Share the project with your group](../../members/share_project_with_groups.md#sharing-a-project-with-a-group-of-users),
based on the Reporter role.
1. Navigate to your project's **Settings > General**, and in the
MR approvals can be configured to be optional, which can help if you're working
on a team where approvals are appreciated, but not required.
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/40491) in GitLab 13.4.
> - Moved to GitLab Premium in 13.9.
To configure an approval to be optional, set the number of required approvals in **Approvals required** to `0`.
You may need to grant users with [Reporter permissions](../../../permissions.md#project-members-permissions),
permission to approve merge requests before they can merge to a protected branch.
Some users (like managers) may not need permission to push or merge code, but still need
oversight on proposed work. To enable approval permissions for these users without
granting them push access:
You can also set an optional approval rule through the [Merge requests approvals API](../../../../api/merge_request_approvals.md#update-merge-request-level-rule), by setting the `approvals_required` attribute to `0`.
1.[Create a new group](../../../group/index.md#create-a-group).
1.[Add the user to the group](../../../group/index.md#add-users-to-a-group),
and select the Reporter role for the user.
1.[Share the project with your group](../../members/share_project_with_groups.md#sharing-a-project-with-a-group-of-users),
based on the Reporter role.
1. Go to your project and select **Settings > General**.
1. Expand **Merge request (MR) approvals**.
1. Select **Add approval rule** or **Update approval rule**.
1.[Add the group](../../../group/index.md#create-a-group) to the permission list.
Merge request approvals can be optional for projects where approvals are
appreciated, but not required. To make an approval rule optional:
## Scoped to protected branch **(PREMIUM)**
- When you [create or edit a rule](#edit-an-approval-rule), set **Approvals required** to `0`.
- Use the [Merge requests approvals API](../../../../api/merge_request_approvals.md#update-merge-request-level-rule)
to set the `approvals_required` attribute to `0`.
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/460) in [GitLab Premium](https://about.gitlab.com/pricing/) 12.8.
## Approvals for protected branches **(PREMIUM)**
Approval rules are often only relevant to specific branches, like `master`.
When configuring [**Default Approval Rules**](#adding--editing-a-default-approval-rule)
these can be scoped to all the protected branches at once by navigating to your project's
**Settings**, expanding **Merge request (MR) approvals**, and selecting **Any branch** from
the **Target branch** dropdown.
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/460) in GitLab Premium 12.8.
Alternatively, you can select a very specific protected branch from the **Target branch** dropdown:
Approval rules are often relevant only to specific branches, like your
[default branch](../../repository/branches/default.md). To configure an
approval rule for certain branches:
1.[Create an approval rule](#add-an-approval-rule).
1. Go to your project and select **Settings**.
1. Expand **Merge request (MR) approvals**.
1. Select a **Target branch**:
- To protect all branches, select **Any branch**.
- To select a specific branch, select it from the list:
To enable this configuration, see [Code Owner's approvals for protected branches](../../protected_branches.md#protected-branches-approval-by-code-owners).
1. To enable this configuration, read
[Code Owner's approvals for protected branches](../../protected_branches.md#protected-branches-approval-by-code-owners).
