Update query tokens for policy violation filtering

Alexander Turinskerequested to merge
549786-add-policy-violation-filtering-to-query into master

What does this MR do and why?

Update query tokens for policy violation filtering

  • backend MRs to add the filter capability are listed in BE: Integrate with vulnerability reporting and ... (#561739 - closed), but they are all merged now
  • initial frontend MR to add the filter: Conditionally show policy violation vuln filter (!206461 - merged)
  • include dashboard type in filter function
  • hide filter for non Elastic Search systems
  • filter vulnerabilitiesproject and group level by policy violations
  • due to multi-version compatibility, we need to hide the new policy violations property behind a feature flag to minimize the impact
  • add new property in a duplicated graphql query
  • update integration tests
  • update unit tests
  • there is another feature flag being used on the backend called "policyViolationsEsFilter" that needs to be checked on the frontend
  • additionally the "accessAdvancedVulnerabilityManagement" ability needs to be checked for
  • due to the repeated use of many ability and feature flags, I have created a utility function that checks for them and imported it everywhere
  • moved most of the testing into that single utility function
  • still test a single true and false case in each instance

Changelog: added

EE: true

References

Screenshots or screen recordings

Scenario Screenshot
Without feature flags or ability Screenshot_2025-10-22_at_8.56.39_PM Screenshot_2025-10-29_at_10.49.03_AM
With feature flag image

How to set up and validate locally

How to set up and validate locally

Elasticsearch Setup

  1. Enable the Elasticsearch in GDK
gdk config set elasticsearch.enabled true
gdk reconfigure
gdk start elasticsearch

Simulate SAAS mode

  1. add export GITLAB_SIMULATE_SAAS=1 to env.runit
  2. Restart the gdk
gdk kill && gdk start

Dismiss a security finding blocked by a security policy

  1. Enable the advanced_vulnerability_management and security_policy_approval_warn_mode feature flags in http://gdk.test:3000/rails/features
  2. Import the security-reports project.
  3. Run a new pipeline on the default branch to create vulnerabilities
  4. Go to Secure > Policies and create a Merge Request Approval policy
  5. Create an MR editing the README file
  6. Create a record of Security::PolicyDismissal to simulate a bypassed/dismissed policy
Security::PolicyDismissal.create(project: Project.second_to_last, merge_request: MergeRequest.last, security_policy: Security::Policy.last, user: User.first, dismissal_reason: 0, security_findings_uuids: ["84c1832e-294d-59f0-b3ff-b4414cc86c70"])
  1. Checkout Filter vulnerabilities dismissed by security po... (!202622 - closed)
  2. Cherry pick this MR onto that
  3. Navigate to a project/group => Secure => Vulnerability Report => Filter by "Dismissed in MR"
  4. Verify only the new vulnerabilities appear

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #549786 (closed)

Edited by Alexander Turinske

Merge request reports