SAST False Positive Detection – Frontend – Expose toggle to Security Managers

What does this MR do and why?

Exposes only the Turn on SAST false positive detection toggle on the project General Settings → GitLab Duo section to Security Managers.

References

Reference implementation: !239266 (merged)

Screenshots or screen recordings

  • With update_false_positive_detection_setting_permission feature flag enabled - as security manager: Screenshot_2026-06-22_at_13.35.35

  • With the update_false_positive_detection_setting_permission and the update_sast_vr_setting_permission feature flags enabled:

    Screenshot_2026-06-22_at_17.33.09

How to set up and validate locally

  1. Start GDK with support for Security Manager role

    export GITLAB_SECURITY_MANAGER_ROLE=true
    gdk start
  2. Ensure that your instance has an active EE license. It should also have gitlab-duo enabled.

  3. Enable the feature flag in the Rails console:

    Feature.enable(:update_false_positive_detection_setting_permission)
  4. Log in as root and navigate to a project

  5. Add another user as a Security Manager on the project

  6. Log out, then log in as the Security Manager user

  7. Navigate to the project's Settings > General. Verify that only the Turn on SAST false positive detection toggle is visible (along with the Save button). Other Duo settings (Duo enable toggle, flow execution, tool approval, exclusion settings, etc.) should not be visible.

  8. Verify the toggle can be toggled and saved

  9. Now go to the Secure > Audit events and check if the audit event was created after you saved your changes.

  10. Now go back to the rails console, and also enable update_sast_vr_setting_permission feature flag by running:

   Feature.enable(:update_sast_vr_setting_permission)
  1. Refresh the General Settings page, now both toggles should be visible.
  2. Now go ahead and disable update_false_positive_detection_setting_permission and verify the FP detection toggle is no longer visible to the Security Manager
  3. Log back in as root/Maintainer and verify all Duo settings are still visible as normal

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Charlie Kroon

Merge request reports

Loading