DESIGN: Vulnerability dismissal requires approval

Problem to solve

Before GitLab 17.0, anyone with at least Developer access could dismiss vulnerabilities in any of the Security Dashboards. This created a lack of accountability and oversight in managing vulnerabilities.

In GitLab 17.0 or newer, the default access is moved to the Maintainer RBAC role. See https://docs.gitlab.com/user/application_security/vulnerabilities/#change-the-status-of-a-vulnerability.

_{Note: This issue content has been updated because Google search AI answers are treating it as if it were current. See comment.}

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Devon (DevOps Engineer)
• Sidney (Systems Administrator)
• Sam (Security Analyst)

Further details

We already have Security Approvals at the Merge Request level, where a group of users is required to approve any finding with a Critical, High, or Unknown severity. Even dismissed findings with these severities still requires approval before merging is allowed.

However, we don't have any control on dismissals outside of the MR. Anyone with Developer access can freely dismiss vulnerabilities in Vulnerability Reports (formerly Security Dashboards, which show vulnerabilities already in a project's default branch). This change can go under the radar of the Security Team because we don't yet have an audit trail and no approval is required to dismiss a vulnerability.

Proposal

We need a way to optionally require approval before dismissing a vulnerability from a Project, Group, or Instance Vulnerability Report. We need to consider having this be a setting or rule that can by applied top-down so that users with many hundreds or thousands of projects can enable it globally. Overriding or making specific adjustments at the Group and/or Project level will still be necessary.

It may not be the right long-term approach but we should consider whether we can leverage the existing security approver groups. We might use them as the same approvers for vulnerability dismissal approvals.

This issue is to gather discussions to solve this problem.

Permissions and Security

TBD

Documentation

TBD

Availability & Testing

TBD

What does success look like, and how can we measure that?

• Better isolation of privileges for security interactions

What is the type of buyer?

GitLab Ultimate

Links / references

/cc @andyvolpe following our discussion today.