BE: Build dismissal service layer and GraphQL API integration for warn mode

Why are we doing this work

This backend implementation creates the service layer and GraphQL API integration needed to handle security finding dismissals in warn mode. When developers encounter policy violations in warn mode, they need a way to dismiss those findings through the merge request interface, which requires proper service orchestration and API endpoints.

This builds on the dismissal tracking infrastructure and enables the frontend to interact with dismissal functionality through GraphQL mutations.

Relevant links

• Epic: &15552
• Related issue: #549766 (closed)
• Infrastructure dependency: #561886 (closed)
• Schema dependency: #561885 (closed)

Implementation

• Extend updateMergeRequestMutation with overrideSecurityPolicies flag for dismissal handling Create a new API to dismiss policies ( slack snapshot: image )
• Add dismissal validation and authorization logic to mutation resolvers
• Implement Security::Findings::DismissService for policy-specific dismissals
• Add proper error handling and response formatting for dismissal operations
• Integrate with audit event generation for dismissal tracking
• Add notification mechanisms for stakeholder alerts
• Ensure proper authorization checks for dismissal permissions

Technical notes

• Follow existing updateMergeRequestMutation pattern similar to overrideRequestedChanges
• Service should validate finding UUIDs, policy IDs, and merge request relationships
• Authorization should check Developer+ role permissions in project
• Dismissal service must handle bulk operations efficiently
• Proper transaction handling for dismissal record creation
• Integration with existing audit event infrastructure
• Error responses should provide clear feedback for validation failures
• Service should update scan result policy violations with dismissal metadata

Validation Steps

• updateMergeRequestMutation accepts overrideSecurityPolicies parameter
• dismissPolicyViolations api creates a new dismissal for policy violations
• Mutation properly validates dismissal parameters and relationships
• Authorization correctly restricts dismissals to Developer+ role users
• Service creates dismissal records with proper audit trails
• Bulk dismissal operations perform efficiently
• Error handling provides clear feedback for invalid requests
• Audit events generated for all dismissal actions ( will be handled in: #562186 (closed) )
• Scan result policy violations updated with dismissal status
• Integration works seamlessly with existing MR workflow