Trigger SAST FP detection for all existing vulnerabilities one time via banner button

Problem to Solve

Currently, the SAST FP detection workflow only triggers for brand new vulnerabilities created during a pipeline run (via after_create_commit in MR !208276 (merged)). This means:

• Existing vulnerabilities in the project are never analyzed for false positives
• Customers with vulnerability backlogs must wait for new detections to benefit from the feature
• Running a new pipeline doesn't re-analyze existing High/Critical vulnerabilities

This significantly limits the feature's value for customers with existing security debt.

Decision

We have decided to add a one-time button to the banner being built in #581652. This button will trigger a background process to process all High and Critical SAST vulnerabilities in the project for FP detection.

This approach provides:

• User control over when to process existing vulnerabilities
• Clear opt-in mechanism for resource-intensive operations
• Integration with the existing banner announcement feature

Implementation Approach

Add a button to the Vulnerability Report banner that:

1. Triggers a background process to identify all High/Critical SAST vulnerabilities in the project
2. Queues FP detection workflow for each qualifying vulnerability
3. Respects concurrency limits to prevent resource exhaustion
4. Provides user feedback on the processing status

Current Behavior

From MR !208276 (merged):

# ee/app/models/ee/vulnerability.rb
after_create_commit :trigger_false_positive_detection, if: :sast?

def trigger_false_positive_detection
  return unless ::Feature.enabled?(:enable_vulnerability_fp_detection, group)
  
  ::Vulnerabilities::TriggerFalsePositiveDetectionWorkflowWorker.perform_async(id)
end

This only fires when a new vulnerability record is created.

Proposed Behavior

When the user clicks the button in the banner:

1. Identify all High/Critical SAST vulnerabilities in the project
2. Trigger FP detection workflow for each vulnerability
3. Respect concurrency limits to prevent resource exhaustion
4. Provide feedback to the user about the processing

Implementation Considerations

# Potential implementation
class Vulnerabilities::TriggerBulkFpDetectionWorker
  def perform(project_id, user_id)
    project = Project.find(project_id)
    
    # Find all High/Critical SAST vulnerabilities
    vulnerabilities = project.vulnerabilities
      .sast
      .with_severity([:critical, :high])
      .not_recently_analyzed(48.hours)
    
    # Trigger FP detection with rate limiting
    vulnerabilities.find_each do |vulnerability|
      Vulnerabilities::TriggerFalsePositiveDetectionWorkflowWorker.perform_async(vulnerability.id)
    end
  end
end

Related Issues

• Parent Epic: #18977 (closed)
• Related: #581652 (Banner implementation)
• Related: #581975 (Manual trigger for single vulnerability)
• Related: &18977 (comment 2904564049)
• Related: &19897 (Event-based triggers architecture)

Questions to Resolve

• Should the button be available only once or multiple times?
• How do we handle projects with hundreds of existing vulnerabilities?
• What feedback should we provide to users during processing?
• What's the impact on Duo Workflow Service capacity?
• Should we add a cooldown period between bulk processing requests?