Add tracked ref filter to vulnerability report

What does this MR do and why?

Add tracked ref filter to the project vulnerability report.

Adds a new filter which will allow users to filter the vulnerability report by one or more selected refs.

Screenshots or screen recordings

Screen_Recording_2025-12-05_at_2.04.10_pm

How to set up and validate locally

Setup

1. Enable the feature flag: http://gdk.test:3000/rails/features/vulnerabilities_across_contexts
2. Apply the following patch to provide some mock refs:

diff --git a/ee/app/helpers/ee/projects_helper.rb b/ee/app/helpers/ee/projects_helper.rb
index 222c351859f2..7bbd35f0b0e1 100644
--- a/ee/app/helpers/ee/projects_helper.rb
+++ b/ee/app/helpers/ee/projects_helper.rb
@@ -252,11 +252,77 @@ def project_security_dashboard_config_with_vulnerabilities(project)
           scanners: VulnerabilityScanners::ListService.new(project).execute.to_json,
           can_view_false_positive: can_view_false_positive?,
           vulnerability_quota: vulnerability_quota_information(project),
-          validity_checks_enabled: project&.security_setting&.validity_checks_enabled&.to_s || 'false'
+          validity_checks_enabled: project&.security_setting&.validity_checks_enabled&.to_s || 'false',
+          tracked_refs: tracked_refs_mock_data(project).to_json
         }
       )
     end
 
+    def tracked_refs_mock_data(project)
+      [
+        {
+          id: "gid://gitlab/Security::ProjectTrackedContext/1",
+          name: project.default_branch || 'main',
+          refType: 'BRANCH',
+          isDefault: true,
+          isProtected: false,
+          commit: {
+            sha: 'abc123def456',
+            shortId: 'abc123d',
+            title: 'Initial commit',
+            authoredDate: Time.current.iso8601,
+            webPath: "#{project.web_url}/-/commit/abc123def456"
+          },
+          vulnerabilitiesCount: 0
+        },
+        {
+          id: "gid://gitlab/Security::ProjectTrackedContext/2",
+          name: 'develop',
+          refType: 'BRANCH',
+          isDefault: false,
+          isProtected: false,
+          commit: {
+            sha: 'def456ghi789',
+            shortId: 'def456g',
+            title: 'Update dependencies',
+            authoredDate: 1.day.ago.iso8601,
+            webPath: "#{project.web_url}/-/commit/def456ghi789"
+          },
+          vulnerabilitiesCount: 5
+        },
+        {
+          id: "gid://gitlab/Security::ProjectTrackedContext/3",
+          name: 'v1.0.0',
+          refType: 'TAG',
+          isDefault: false,
+          isProtected: false,
+          commit: {
+            sha: 'ghi789jkl012',
+            shortId: 'ghi789j',
+            title: 'Release v1.0.0',
+            authoredDate: 2.days.ago.iso8601,
+            webPath: "#{project.web_url}/-/commit/ghi789jkl012"
+          },
+          vulnerabilitiesCount: 3
+        },
+        {
+          id: "gid://gitlab/Security::ProjectTrackedContext/4",
+          name: 'v1.1.0',
+          refType: 'TAG',
+          isDefault: false,
+          isProtected: false,
+          commit: {
+            sha: 'jkl012mno345',
+            shortId: 'jkl012m',
+            title: 'Release v1.1.0',
+            authoredDate: 3.days.ago.iso8601,
+            webPath: "#{project.web_url}/-/commit/jkl012mno345"
+          },
+          vulnerabilitiesCount: 1
+        }
+      ]
+    end
+
     def project_security_dashboard_config(project)
       has_vulnerabilities = project.vulnerabilities.exists?
 

Validation

1. Navigate to a project with vulnerabilities and then "Secure -> Vulnerability Report"
2. Verify that the "Tracked ref" filter shows "main" (default) on load
3. Verify that the filter behaves like the "activity" and "status" filters

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #555992