Add epss filter to security scan rule
What does this MR do and why?
This merge request adds support for two new vulnerability filtering options in security policies: KEV (Known Exploited Vulnerabilities) status and EPSS (Exploit Prediction Scoring System) scores.
The KEV filter allows users to target only vulnerabilities that are actively being exploited in the wild. The EPSS filter lets users set policies based on the probability that a vulnerability will be exploited, with options for predefined risk levels (Low 10%, Moderate 50%, High 80%, Critical 100%) or custom percentage values.
The changes include:
- New UI components for selecting EPSS operators (greater than/less than) and probability values
- Updated validation logic to handle both boolean and object-type vulnerability attributes
- Simplified KEV filter text to be clearer about its purpose
- Helper functions to convert between percentage displays and decimal values
- Feature flag integration to conditionally show these new filters
The implementation maintains backward compatibility while extending the existing vulnerability attribute system to support more complex filtering criteria beyond simple true/false values.
References
Screenshots or screen recordings
| Description | UI |
|---|---|
| Epss filter | epss.mov |
How to set up and validate locally
-
Enable feature flag:
Feature.enable(:security_policies_kev_filter) -
Go to Secure -> Policies
-
New Merge request policy
-
Select Security scan rule
-
Check new KEPSS filter
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #577315 (closed)