To enable the `Vulnerability-Check` or `License-Check` Security Approvals, a [project approval rule](../project/merge_requests/approvals/rules.md#adding--editing-a-default-approval-rule)
To enable the `Vulnerability-Check` or `License-Check` Security Approvals, a [project approval rule](../project/merge_requests/approvals/rules.md#add-an-approval-rule)
must be created. A [security scanner job](#security-scanning-tools) must be enabled for
must be created. A [security scanner job](#security-scanning-tools) must be enabled for
`Vulnerability-Check`, and a [license scanning](../compliance/license_compliance/index.md#configuration)
`Vulnerability-Check`, and a [license scanning](../compliance/license_compliance/index.md#configuration)
job must be enabled for `License-Check`. When the proper jobs aren't configured, the following
job must be enabled for `License-Check`. When the proper jobs aren't configured, the following
-[At the instance level](../../../admin_area/merge_requests_approvals.md)
If no approval rules are defined, any user can approve a merge request. However, the default
If you don't define a [default approval rule](#add-an-approval-rule),
minimum number of required approvers can still be set in the
any user can approve a merge request. Even if you don't define a rule, you can still
[settings for merge request approvals](settings.md).
enforce a [minimum number of required approvers](settings.md) in the project's settings.
You can opt to define one single rule to approve a merge request among the available rules
You can define a single rule to approve merge requests from among the available
or choose more than one with [multiple approval rules](#multiple-approval-rules).
rules, or you can select [multiple approval rules](#add-multiple-approval-rules).
NOTE:
Merge requests that target a different project, such as from a fork to the upstream project,
On GitLab.com, you can add a group as an approver if you're a member of that group or the
use the default approval rules from the target (upstream) project, not the source (fork).
group is public.
## Eligible Approvers
## Add an approval rule
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10294) in GitLab 13.3, when an eligible approver comments on a merge request, it appears in the **Commented by** column of the Approvals widget.
To add a merge request approval rule:
The following users can approve merge requests:
1. Go to your project and select **Settings > General**.
1. Expand **Merge request (MR) approvals**, and then select **Add approval rule**.
1. Add a human-readable **Rule name**.
1. Set the number of required approvals in **Approvals required**. A value of `0` makes
[the rule optional](#configure-optional-approval-rules), and any number greater than `0`
creates a required rule.
1. To add users or groups as approvers, search for users or groups that are
[eligible to approve](#eligible-approvers), and select **Add**. GitLab suggests approvers based on
previous authors of the files changed by the merge request.
- Users who have been added as approvers at the project or merge request levels with
NOTE:
developer or higher [permissions](../../../permissions.md).
On GitLab.com, you can add a group as an approver if you're a member of that group or the
-[Code owners](#code-owners-as-eligible-approvers) of the files changed by the merge request
group is public.
that have developer or higher [permissions](../../../permissions.md).
An individual user can be added as an approver for a project if they are a member of:
1. Select **Add approval rule**.
- The project.
Users of GitLab Premium and higher tiers can create [additional approval rules](#add-multiple-approval-rules).
- The project's immediate parent group.
- A group that has access to the project via a [share](../../members/share_project_with_groups.md).
A group of users can also be added as approvers, though they only count as approvers if
Your configuration for approval rule overrides determines if the new rule is applied
they have direct membership to the group. In the future, group approvers may be
to existing merge requests:
[restricted to only groups with share access to the project](https://gitlab.com/gitlab-org/gitlab/-/issues/2048).
If a user is added as an individual approver and is also part of a group approver,
- If [approval rule overrides](settings.md#prevent-overriding-default-approvals) are allowed,
then that user is just counted once. The merge request author, and users who have committed
changes to these default rules are not applied to existing merge requests, except for
to the merge request, do not count as eligible approvers,
changes to the [target branch](#approvals-for-protected-branches) of the rule.
if [**Prevent author approval**](settings.md#allowing-merge-request-authors-to-approve-their-own-merge-requests)(enabled by default)
- If approval rule overrides are not allowed, all changes to default rules
and [**Prevent committers approval**](settings.md#prevent-approval-of-merge-requests-by-their-committers)(disabled by default)
are applied to existing merge requests. Any approval rules that were previously
are enabled on the project settings.
manually [overridden](#edit-or-override-merge-request-approval-rules) during the
period when approval rule overrides where allowed, are not modified.
When an eligible approver comments on a merge request, it displays in the
## Edit an approval rule
**Commented by** column of the Approvals widget. It indicates who participated in
the merge request review. Authors and reviewers can also identify who they should reach out
to if they have any questions about the content of the merge request.
### Implicit Approvers
To edit a merge request approval rule:
If the number of required approvals is greater than the number of assigned approvers,
1. Go to your project and select **Settings > General**.
approvals from other users counts towards meeting the requirement. These would be
1. Expand **Merge request (MR) approvals**, and then select **Edit**.
users with developer [permissions](../../../permissions.md) or higher in the project who
1. (Optional) Change the **Rule name**.
were not explicitly listed in the approval rules.
1. Set the number of required approvals in **Approvals required**. The minimum value is `0`.
1. Add or remove eligible approvers, as needed:
-*To add users or groups as approvers,* search for users or groups that are
[eligible to approve](#eligible-approvers), and select **Add**.
### Code Owners as eligible approvers
NOTE:
On GitLab.com, you can add a group as an approver if you're a member of that group or the
group is public.
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/7933) in GitLab 11.5.
-*To remove users or groups,* identify the group or user to remove, and
> - Moved to GitLab Premium in 13.9.
select **{remove}****Remove**.
1. Select **Update approval rule**.
If you add [Code Owners](../../code_owners.md) to your repository, the owners to the
## Add multiple approval rules **(PREMIUM)**
corresponding files become eligible approvers, together with members with Developer
or higher [permissions](../../../permissions.md).
To enable this merge request approval rule:
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/1979) in GitLab Premium 11.10.
1. Navigate to your project's **Settings > General** and expand
In GitLab Premium and higher tiers, you can enforce multiple approval rules on a
**Merge request (MR) approvals**.
merge request, and multiple default approval rules for a project. If your tier
1. Locate **Any eligible user** and choose the number of approvals required.
supports multiple default rules:
![MR approvals by Code Owners](img/mr_approvals_by_code_owners_v12_7.png)
- When [adding](#add-an-approval-rule) or [editing](#edit-an-approval-rule) an approval rule
for a project, GitLab displays the **Add approval rule** button even after a rule is defined.
- When editing or overriding multiple approval rules
[on a merge request](#edit-or-override-merge-request-approval-rules), GitLab
displays the **Add approval rule** button even after a rule is defined.
Once set, merge requests can only be merged once approved by the
When an [eligible approver](#eligible-approvers) approves a merge request, it
number of approvals you've set. GitLab accepts approvals from
reduces the number of approvals left (the **Approvals** column) for all rules that the approver belongs to:
users with Developer or higher permissions, as well as by Code Owners,
[Code Owner's approvals for protected branches](../../protected_branches.md#protected-branches-approval-by-code-owners). **(PREMIUM)**
## Merge Request approval segregation of duties
## Eligible approvers
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/40491) in GitLab 13.4.
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10294) in GitLab 13.3, when an eligible approver comments on a merge request, it appears in the **Commented by** column of the Approvals widget.
> - Moved to Premium in 13.9.
Managers or operators with [Reporter permissions](../../../permissions.md#project-members-permissions)
To be eligible as an approver for a project, a user must be a member of one or
to a project sometimes need to be required approvers of a merge request,
more of these:
before a merge to a protected branch begins. These approvers aren't allowed
to push or merge code to any branches.
To enable this access:
- The project.
- The project's immediate parent [group](#group-approvers).
- A group that has access to the project via a [share](../../members/share_project_with_groups.md).
- A [group added as approvers](#group-approvers).
1.[Create a new group](../../../group/index.md#create-a-group), and then
The following users can approve merge requests if they have Developer or
[add the user to the group](../../../group/index.md#add-users-to-a-group),
higher [permissions](../../../permissions.md):
ensuring you select the Reporter role for the user.
1.[Share the project with your group](../../members/share_project_with_groups.md#sharing-a-project-with-a-group-of-users),
based on the Reporter role.
1. Navigate to your project's **Settings > General**, and in the
MR approvals can be configured to be optional, which can help if you're working
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/40491) in GitLab 13.4.
on a team where approvals are appreciated, but not required.
> - Moved to GitLab Premium in 13.9.
To configure an approval to be optional, set the number of required approvals in **Approvals required** to `0`.
You may need to grant users with [Reporter permissions](../../../permissions.md#project-members-permissions),
permission to approve merge requests before they can merge to a protected branch.
Some users (like managers) may not need permission to push or merge code, but still need
oversight on proposed work. To enable approval permissions for these users without
granting them push access:
You can also set an optional approval rule through the [Merge requests approvals API](../../../../api/merge_request_approvals.md#update-merge-request-level-rule), by setting the `approvals_required` attribute to `0`.
1.[Create a new group](../../../group/index.md#create-a-group).
1.[Add the user to the group](../../../group/index.md#add-users-to-a-group),
and select the Reporter role for the user.
1.[Share the project with your group](../../members/share_project_with_groups.md#sharing-a-project-with-a-group-of-users),
based on the Reporter role.
1. Go to your project and select **Settings > General**.
1. Expand **Merge request (MR) approvals**.
1. Select **Add approval rule** or **Update approval rule**.
1.[Add the group](../../../group/index.md#create-a-group) to the permission list.
Merge request approvals can be optional for projects where approvals are
appreciated, but not required. To make an approval rule optional:
## Scoped to protected branch **(PREMIUM)**
- When you [create or edit a rule](#edit-an-approval-rule), set **Approvals required** to `0`.
- Use the [Merge requests approvals API](../../../../api/merge_request_approvals.md#update-merge-request-level-rule)
to set the `approvals_required` attribute to `0`.
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/460) in [GitLab Premium](https://about.gitlab.com/pricing/) 12.8.
## Approvals for protected branches **(PREMIUM)**
Approval rules are often only relevant to specific branches, like `master`.
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/460) in GitLab Premium 12.8.
When configuring [**Default Approval Rules**](#adding--editing-a-default-approval-rule)
these can be scoped to all the protected branches at once by navigating to your project's
**Settings**, expanding **Merge request (MR) approvals**, and selecting **Any branch** from
the **Target branch** dropdown.
Alternatively, you can select a very specific protected branch from the **Target branch** dropdown:
Approval rules are often relevant only to specific branches, like your
[default branch](../../repository/branches/default.md). To configure an
approval rule for certain branches:
![Scoped to protected branch](img/scoped_to_protected_branch_v13_10.png)
1.[Create an approval rule](#add-an-approval-rule).
1. Go to your project and select **Settings**.
1. Expand **Merge request (MR) approvals**.
1. Select a **Target branch**:
- To protect all branches, select **Any branch**.
- To select a specific branch, select it from the list:
To enable this configuration, see [Code Owner's approvals for protected branches](../../protected_branches.md#protected-branches-approval-by-code-owners).
![Scoped to protected branch](img/scoped_to_protected_branch_v13_10.png)
1. To enable this configuration, read
[Code Owner's approvals for protected branches](../../protected_branches.md#protected-branches-approval-by-code-owners).