Allow ignoring of fixed vulnerabilities in Merge Requests

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Release notes

Allow ignoring of fixed vulnerabilities in Merge Requests

Problem to solve

I want to use a Merge Request policy to block a Merge Request if a dependency scan reports one or more pre-existing critical vulnerabilities, but approve the merge request if all pre-existing critical vulnerabilities are fixed.

Proposal

My proposal is that the Merge Request policy add an option to allow ignoring of vulnerabilities that are fixed by the Merge Request. This allows developers to fix pre-existing vulnerabilities without requiring manual approval from a security approver in cases where a Merge Request policy blocks pre-existing vulnerabilities.

Without this feature, I either need to update my policy to only block new vulnerabilities or have a security approver manually approve each fixed pre-existing vulnerability.

Intended users

• Sasha (Software Developer)
• Priyanka (Platform Engineer)
• Amy (Application Security Engineer)
• Alex (Security Operations Engineer)
• Cameron (Compliance Manager)

Feature Usage Metrics

Does this feature require an audit event?