Design: Display approval rules on security configuration page UI

Problem to solve

Context: Vulnerability-Check and License-Check approval rules are not currently displayed in the UI by default. This issue is about surfacing the rules by default in the approvals section: #31922 (closed) and this issue #36829 (closed) decouples the override options from checks.

Problem: 1) proper configuration is a prerequisite to the checks being useful (so even if they are shown be default will need to explicit in UI), 2) if the check is active it is only seen in the merge request (user may not be aware that check is in place).

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Devon (DevOps Engineer)
• Sam (Security Analyst)
• Allison (Application Ops)

Further details

This aims to help users better understand how their project's security is setup. Configuration page shows whether a scan is enabled and #13298 (closed) will show scanning across projects. This will display at the project level rules/checks applied to issue (follow up: to display at group/instance what checks are in place).

Proposal ideation

Display rule status on/off (Vulnerability-Check and License-Check) and allow users to set upenable` and/or edit, on the configuration page. Will include outcome from #214712 (closed)

Notes:

backend please verify you don't need to do anything

frontend please check if this current proposal can be done without duplicating code - i wouldn't want them to get out of sync. if this means we need to create an issue to refactor or do other prep-work that is OK. also if we need to tweak the design to closer mimic/mirror the settings page we can talk to UX about that.

Permissions and Security

Documentation

...

Availability & Testing

SET should update any existing security configuration end to end test, or add if none already exist.

What does success look like, and how can we measure that?

• Does the features visibility help improve adoption?
• Is setting up the security checks usability improved?
• For the user accountable for security, does the status help them with awareness/understanding of how the project security is setup?

What is the type of buyer?

GitLab Ultimate

PM Notes

An OKR is to make sure everything is pajamas, can we make sure to use pajamas and if pajamas doesn't have a pattern for what we are adding, contribute one? this may make this a heavier weight but as an OKR it's a high priority.