Skip to content

Add setting to enable/disable AI false positive detection

Summary

Implement a setting that allows users to enable or disable AI-powered false positive detection for SAST vulnerabilities. This provides users with control over when the AI analysis is performed and allows them to opt-out if desired.

Problem to Solve

Users need the ability to control whether AI false positive detection is enabled for their projects or groups. Some users may want to disable this feature due to:

  • Privacy concerns about sending vulnerability data to AI services
  • Performance considerations
  • Preference for manual vulnerability triage
  • Compliance requirements

Proposal

Implement a setting that allows users to:

  1. Project-level Setting: Enable/disable FP detection at the project level
  2. Group-level Setting: Enable/disable FP detection at the group level (inheritable by projects)
  3. Default Behavior: Define appropriate default state (enabled/disabled)
  4. Setting Inheritance: Projects inherit group settings unless explicitly overridden
  5. UI Integration: Clear indication when FP detection is disabled

Potential Solution

There are two potential options to how we might want to implement this:

Option 1 (preferred option): Use the existing GitLab Duo settings as a way to implement the configuration, which helps it to be consistent with other AI similar features, code suggestions, duo chats, maybe others.

Role Settings

Admins
  1. Admin > GitLab Duo > Change configuration
  2. There will be "SAST False Positive Detection" toggle
  3. Sets default: On/Off/Always Off

Group Owners
  1. Group Settings > GitLab Duo
  2. Can lock setting for all child projects

Project Maintainers
  1. Project Settings > General > GitLab Duo
  2. "Use AI-native features in this project" (master toggle)
  3. "SAST False Positive Detection" (feature-specific toggle)

Option 2: Introduce a new AI setting configuration at the project level in the UI

  1. On the left sidebar, select Search or go to and find your project.
  2. Select Secure > Security configuration.
  3. Select AI Security Features card
  4. Instead the card, Sec Ai features are turned on by default for the project;
  5. They will need to turn it off per project that doesn't need/want to use the AI features provided, or is needed to stop/manage the use of credits for usage billing

Related Issues

  • Parent Epic: &18977
  • Design Issue: gitlab-org/gitlab#563032
Edited by Ian Khor