Global AllowList
Once AllowList is available in GitLab, we can imagine a global AllowList managed at the group level. This list could contain security issues to be always ignored, and never ignored. That way, Security teams (@kathyw, @jritchey, ...) could define rules at a higher level.
This file could be mounted in the job (to avoid someone overriding it in the repo), and merged with the local one (based on the always/never rules).
Or we can let the users host this file somewhere, and specify the URL to the job. It's a good way to track changes on global settings, and we don't need to manage all the authorizations. A job can be scheduled in the repo hosting this file, to ensure it's being used in every project to be monitored. I suggest this implementation, which is easier to implement and maintain.
This feature will be helpful for large companies.
/cc @bikebilly