[Spike] Close gap between MR security widget and scan result policy approval

Description

Recently we updated the way the pipelines are compared in MR widget for security scan comparison as a part of Use merge base for security MR widget (&10092 - closed) This causes inconsistencies with the way scan result policy pipelines are compared for enforcing approvals.

image

In this example, MR widget uses the pipeline that run for Common base for the target branch and the pipeline that run for Feature tip for source branch. But scan result policy uses the pipeline that run for Main tip for the target branch and the pipeline that run for Feature tip for the source branch. This introduces confusion when the MR widget shows no new vulnerabilities, but scan result policy enforces approval for newly detected vulnerabilities.

The goal of the spike is to reduce the inconsistencies by showing consistent results in enforcing approvals from SRP that matches the results from MR widget.

Potential Solutions

Consider the common base for target branch for comparison

Drawbacks

  • We might miss if there are any fixed vulnerabilities in commits after the common base
  • detected state in policy would consider vulnerabilities that are introduced in commits after the common base too

Consider the pipeline based on detected or newly_detected state

More discussion: #379108 (comment 1376834704)