Add support for merge request approval policy

Why are we doing this work

With the deprecation of Gemnasium, there is a need for considering sbom-based security findings by merge request approval policy.

For some more context, different from Update MR widget to consider sbom based securit... (#490333 - closed) • Oscar Tovar • Backlog, this one would require sbom related security findings to be fetched as part of the findings_finder, which implies that Security::Finding would be persisted. Therefore, the ingestion might require changes around store_grouped_scans_service and store_scans_service in order to have sbom report data ingested. Another possible approach is to have the sbom data loaded as security report and reuse the whole of the ingestion flow as is.

Relevant links

Non-functional requirements

• Documentation:
• Feature flag:
• Performance:
• Testing:

Potential solution

• frontend CVS will be required to be added into approval policy builder:

• backend CVS will also need to be added as one of the supported scanners for approval rules.

• backend As mentioned in the description, with cyclonedx report data being stored as security findings, the approval rules logic will work as long the CVS scanner has been added in the previous steps. The following are the main places where there is an interface between approval rules and findings logic:

  • Updates based on preexisting states.
  • Add policy violation based on findings on both target and base branches.

Verification steps