BE: Auto-dismiss vulnerabilities for the MR security widget

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Why are we doing this work

There should be a new section of the security widget titled Auto-dismiss in the MR showing detected vulnerabilities that will be auto-dismissed. This section should be below the New vulnerabilities and above any Fixed ones, where applicable.

We need to investigate what is needed to deliver this information from backend.

Relevant links

Non-functional requirements

• Documentation:
• Feature flag:
• Performance:
• Testing:

Implementation plan

Verification steps

1. Enable the feature flag auto_dismiss_vulnerability_policies
2. Create a project
3. Create an auto-dismiss policy:

   vulnerability_management_policy:
   - name: Auto-dismiss acceptable secrets
     description: Auto-dismiss secrets
     enabled: true
     actions:
     - type: auto_dismiss
       dismissal_reason: not_applicable
     rules:
     - type: detected
       criteria:
       - type: file_path
         value: ".env"

4. Add .gitlab-ci.yml with secret detection

   include:
   - template: Jobs/Secret-Detection.latest.gitlab-ci.yml    

5. Add two secrets in a new MR:
   1. .env:

      AWS_TOKEN=AKIAZYONPI3G4JNCCWGQ

   2. .env2:

      AWS_TOKEN=AKIAZYONPI3G4JNCCWGA

6. Wait for the pipeline to finish
7. Expand the detected findings in the MR security widget and verify that the matched finding shows an icon with a popover, while the other one doesn't.
8. Click on "View all pipeline findings" and update the status of the new finding to dismissed
9. Go back to the MR and verify that only Dismissed badge shows up.