Account for configured Pipeline Execution Policies when scan is missing in Merge Request Approval Policies

Why are we doing this work

In the scope of this issue, we would like to modify the logic in Merge Request Approval Policies to account for configured, enabled, and scoped Pipeline Execution Policies, so when a scan is missing in the target branch but is defined in the Pipeline Execution Policy, we do not require approval.

In the scope of this issue we would like to implement changes to allow users to use it.

Relevant links

Non-functional requirements

• Documentation:
• Feature flag:
• Performance:
• Testing:

Implementation plan

• Persist metadata security_scan: <scan_type> in Ci::CreatePipelineService / YamlProcessor::Result based on the artifacts definition. For example, to detect a secret_detection scanner, we should look for job[:artifacts][:reports] and we expect the path from the scanner template {secret_detection: gl-secret-detection-report.json}.
• Based on this new metadata in merge_request.head_pipeline, update PolicyRuleEvaluationService introduced in !168222 (merged) to exclude approvals for rules with the matching scanners.

Verification steps

1. Enable feature flag unblock_rules_using_pipeline_execution_policies
2. Create a project SPP
3. In the project, create policy-ci.yml:

   include:
     - template: Jobs/Dependency-Scanning.gitlab-ci.yml
   
   policy-test-job:
     stage: test
     script:
       - echo 'Policy test job 1'

4. Create another project
5. In this project, go to Secure -> Policies and link the project SPP from step 2. as a policy project
6. Create a new pipeline execution policy:

   pipeline_execution_policy:
     - name: Enforced scans
       description: ''
       enabled: true
       pipeline_config_strategy: inject_policy
       content:
         include:
           - project: <path-to-spp-project>
             file: policy-ci.yml

7. Save the policy
8. Create a merge request approval policy, requiring approvals for new dependency_scanning vulnerabilities with an option to unblock rules using execution policies:

   approval_policy:
     - name: Dependency scan approvals
       description: ''
       enabled: true
       rules:
         - type: scan_finding
           scanners:
             - dependency_scanning
           vulnerabilities_allowed: 0
           severity_levels: []
           vulnerability_states: []
           branch_type: protected
       actions:
         - type: require_approval
           approvals_required: 1
           role_approvers:
             - developer
         - type: send_bot_message
           enabled: true
       approval_settings:
         block_branch_modification: false
         prevent_pushing_and_force_pushing: false
         prevent_approval_by_author: false
         prevent_approval_by_commit_author: false
         remove_approvals_with_new_commit: false
         require_password_to_approve: false
       fallback_behavior:
         fail: closed
       policy_tuning:
         unblock_rules_using_execution_policies: true
   

9. In the project, create a MR (update README.md)
10. Verify that no approvals are required, although the dependency_scanning job didn't run
11. Disable the pipeline execution policy
12. Verify that an approval is required due to missing scanner configuration