[Spike] Close gap between MR security widget and scan result policy approval
Description
Recently we updated the way the pipelines are compared in MR widget for security scan comparison as a part of Use merge base for security MR widget (&10092 - closed) This causes inconsistencies with the way scan result policy pipelines are compared for enforcing approvals.
In this example, MR widget uses the pipeline that run for Common base
for the target branch and the pipeline that run for Feature tip
for source branch. But scan result policy uses the pipeline that run for Main tip
for the target branch and the pipeline that run for Feature tip
for the source branch. This introduces confusion when the MR widget shows no new vulnerabilities, but scan result policy enforces approval for newly detected vulnerabilities.
The goal of the spike is to reduce the inconsistencies by showing consistent results in enforcing approvals from SRP that matches the results from MR widget.
Potential Solutions
Consider the common base for target branch for comparison
Drawbacks
- We might miss if there are any fixed vulnerabilities in commits after the common base
-
detected
state in policy would consider vulnerabilities that are introduced in commits after the common base too
detected
or newly_detected
state
Consider the pipeline based on More discussion: #379108 (comment 1376834704)