Customizable Severity levels for MR Security Gate Approvals
Problem to solve
Security approval gates have a fixed set of criteria for allowing or holding an MR without approval from a designated security approvers group. Currently, any MR containing a Critical, High, or Unknown severity vulnerability—regardless of whether or not the vulnerability was dismissed— will trigger the need for security approval before it is allowed to merge. This does not allow organizations and teams the flexibility to determine their own acceptable risk thresholds.
User experience goal
Users can set custom approval gate thresholds by selecting only the severity level or levels they wish to trigger the approval. There should be a related option to trigger the approval even for dismissed vulnerabilities (it should be enabled by default).