Add worker to update mr approvals for updated enrichments

What does this MR do and why?

This MR adds a new worker to update MR approvals for policy with enrichment filters.

From #581332 (comment 2993972194) :

We need to update Security::FindingEnrichment records when the package metadata is refreshed and update MR approvals based on the updated data.

After our work on Update CVE enrichment only if it has changed, it is now possible to query which pm_cve_enrichment records were recently updated. Based on the recently updated pm_cve_enrichment records, the new worker updates the corresponding security_finding_enrichments records and MR approvals for policies with enrichment filters.

References

Related to: #585514

Related to the MRs:

• Add by_cve_enrichment_id scope to FindingEnrichment
• Add new index for security_finding_enrichments
• Update CVE enrichment only if it has changed
• Add with_enrichment_filters scope to Security Policy

Screenshots or screen recordings

Before the update	After the update

How to set up and validate locally

Prequisite:

• Synchronize CVE enrichment data

./bin/rails runner 'PackageMetadata::CveEnrichmentSyncWorker.perform_async'

to verify the data has been synced, run the following from rails console, if it returns some number, the data has been synced.

PackageMetadata::CveEnrichment.count

• Enable feature flags associate_security_findings_enrichment_records, and security_policies_kev_filter using the rails console:

Feature.enable(:associate_security_findings_enrichment_records)
Feature.enable(:security_policies_kev_filter)

1. Create a new project
2. Go to Secure > Policies
3. Click on New policy
4. Select Merge request approval policy
5. Create a policy to block vulnerabilities with epss_score greater than 0.2

approval_policy:
  - name: Security Scan - Newly Detected
    description: ""
    enabled: true
    rules:
      - type: scan_finding
        scanners:
          - dependency_scanning
        vulnerabilities_allowed: 0
        severity_levels: []
        vulnerability_states:
          - new_needs_triage
        branch_type: protected
        vulnerability_attributes:
          enrichment_data_unavailable:
            action: 'block'
          epss_score:
            operator: greater_than
            value: 0.2
          known_exploited: false
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers:
          - developer
          - maintainer
          - owner
      - type: send_bot_message
        enabled: true
    approval_settings:
      block_branch_modification: false
      prevent_pushing_and_force_pushing: false
      prevent_approval_by_author: false
      prevent_approval_by_commit_author: false
      remove_approvals_with_new_commit: false
      require_password_to_approve: false
    fallback_behavior:
      fail: closed

6. Click on Create new project with the new policy
7. Merge the MR to add the policy
8. Go back to the project created in step 1
9. Add an empty requirements.txt file
10. Add a .gitlab-ci.yml with the content

include:
  - template: 'Jobs/Dependency-Scanning.gitlab-ci.yml'

11. Ensure you have a pipeline with the dependency scanning artifacts in the main branch

12. Create an MR updating the requirements.txt to introduce the CVE-2020-14343 using the content:

PyYAML==3.12

13. Wait for the pipeline to finish
14. Ensure the Security::FindingEnrichment was persisted in the database and note the epss_score for the finding with cve CVE-2020-14343

Security::FindingEnrichment.where(project_id: Project.second_to_last.id)

15. Verify the MR is not blocked because the epss is lower than 0.2
16. Simulate an update from an execution of PacakgeMetada::CveEnrichmentSyncWorker

in rails console update the PackageMetadata::CveEnrichment with cve CVE-2020-14343

enrichment = PackageMetadata::CveEnrichment.by_cves('CVE-2020-14343').first
enrichment.epss_score = 0.21
enrichment.updated_at = Time.zone.now
enrichment.save!

17. Trigger the Security::SyncFindingEnrichmentWorker

Security::SyncFindingEnrichmentWorker.new.perform

18. Verify the Security::FindingEnrichment with cve CVE-2020-14343 was updated

Security::FindingEnrichment.where(project_id: Project.second_to_last.id)

 #<Security::FindingEnrichment:0x0000000155dbc1c0
  id: 259,
  finding_uuid: "80f1c2f2-7edc-5458-a3bf-3cb3aa89592e",
  project_id: 76,
  cve_enrichment_id: 137983,
  created_at: "2026-02-18 18:47:58.882561000 +0000",
  updated_at: "2026-02-18 18:51:03.599597000 +0000",
  cve: "CVE-2020-14343",
  epss_score: 0.21,
  is_known_exploit: false>]

19. Verify the MR is now blocked because the updated epps is greater than 0.2

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.