Persist license_scanning violations in security_policy_dismissals

Marcos Rocharequested to merge
mc_rocha-persist-license-violation-data-policy-dismissal into master

What does this MR do and why?

This MR updates the dismiss_policy_violations_service to persist the license_finding violation data when a policy in warn mode is dismissed/bypassed.

The changes are behind the new feature flag security_policy_warn_mode_license_scanning, since the previous warn mode feature flag is already enabled on GitLab.com.

This MR also reverts the changes from MR !205695 (diffs) to allow the creation of a warn mode policy with license_finding rules.

References

Related to: #570791

How to set up and validate locally

  1. Enable the feature flag security_policy_warn_mode_license_scanning
Feature.enable(:security_policy_warn_mode_license_scanning)
  2. Create a new project
  3. Add a .gitlab-ci.yml file with the content
include:
  - template: Jobs/Dependency-Scanning.v2.gitlab-ci.yml
  1. Go to Secure > Policies
  2. Click on New policy
  3. Select Merge request approval policy
  4. Create a new policy with the enforcement_type: warn to deny MIT Licenses
approval_policy:
  - name: Deny MIT
    description: ''
    enabled: true
    enforcement_type: warn
    rules:
      - type: license_finding
        match_on_inclusion_license: true
        license_types:
          - MIT License
        license_states:
        - newly_detected
        branch_type: protected
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers:
          - developer
      - type: send_bot_message
        enabled: true
  1. Click on Configure with a merge request
  2. Merge the new MR to add the policy
  3. Create a new MR adding a Gemfile.lock file with the following content:
GEM
  remote: https://rubygems.org/
  specs:
    rack (3.0.4.1)

PLATFORMS
  arm64-darwin-22

DEPENDENCIES
  rack

BUNDLED WITH
   2.4.22
  1. Verify that the policy blocked the MR
  2. Go to /-/graphql-explorer and dismiss the policy using the query
mutation DismissPolicyViolations($projectPath: ID!, $mergeRequestIid: String!, $securityPolicyIds: [ID!]!, $dismissalTypes: [DismissalType!]!, $comment: String!) {
  dismissPolicyViolations(input: {
    projectPath: $projectPath,
    iid: $mergeRequestIid,
    securityPolicyIds: $securityPolicyIds,
    dismissalTypes: $dismissalTypes,
    comment: $comment
  }) {
    errors
  }
}


{
  "projectPath": "project_Path",
  "mergeRequestIid": "MR_IID",
  "securityPolicyIds": [Policy_Id],
  "dismissalTypes": ["SCANNER_FALSE_POSITIVE"],
  "comment": "false positive"
}
  1. Verify the license violation information was persisted in the policy dismissal
Security::PolicyDismissal.last



=> #<Security::PolicyDismissal:0x0000000139369608
 id: 9,
 created_at: Wed, 05 Nov 2025 19:24:35.862239000 UTC +00:00,
 updated_at: Wed, 05 Nov 2025 19:24:35.862239000 UTC +00:00,
 project_id: 234,
 merge_request_id: 512,
 security_policy_id: 152,
 user_id: 1,
 security_findings_uuids: [],
 dismissal_types: [1],
 comment: "false positive",
 status: "open",
 license_occurrence_uuids: [],
 licenses: {"MIT License" => ["rack"]}>

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Marcos Rocha

Merge request reports