Analyze only Merge Request findings in Approval Policy

Problem / Pain Point

As per my current understanding, there is no way to set up Approval Policy so that only the findings in the Merge Request are considered when giving approval.

This means that:

1. We would be required to have a pipeline with findings on every target branch. This situation would lead us into issue #515780 (closed) , when the MR with no findings would be blocked unnecessarily.
2. If we would like to enable strict rules not to allow any un-triaged vulnerabilities we would need 2 policies: [No new] and [No historical].

And, this is suboptimal because.

• Let's say Vmr are vulnerabilities on the MR, Vt the ones on the target. Then with these 2 policies we calculate Vnew = Vmr - Vt (used by [No new] policy) and Vt (used by [No Historical] policy). If these policies are together then we use Vnew + Vt, which is Vmr - Vt + Vt = Vmr. So we do a lot of extra operations. These seem a bit unnecessary.
• Also the [No Historical] policy would block MRs that fully fix historical vulnerabilities in the target branch, which should not be the case. This issue would not exist if we would just consider the merge request findings.

Proposal

The proposed change in scope of this issue would optimize this process by:

1. First checking if source branch scan results contain any findings
2. If no findings exist in the source branch, immediately determining there are no "newly detected findings" without requiring target branch scan results
3. Only requiring the comparison with target branch results when the source branch actually has findings that need to be evaluated