Customizable MR Security Gate Approvals
Problem to solve
Security approval gates have a fixed set of criteria that prevent an MR from merging without approval from a designated security approvers group. Currently, any MR containing a Critical, High, or Unknown severity vulnerability—regardless of whether or not the vulnerability was dismissed— will trigger the need for security approval before it is allowed to merge. This does not allow organizations and teams the flexibility to determine their own acceptable risk thresholds.
Intended users
User experience goal
Users can set custom approval gate thresholds by selecting only the severity level or levels they wish to trigger the approval. There should be a related option to trigger the approval even for dismissed vulnerabilities; it should be enabled by default. These thresholds should further be configurable either for all scanners on a project or set individually for each scanner. This will allow, for example, only blocking on Critical and High for scanners prone to many Unknown results while still allowing other scanners to still block on Unknowns.