SAST False Positive Detection – Frontend – Expose toggle to Security Managers
What does this MR do and why?
Exposes only the Turn on SAST false positive detection toggle on the project General Settings → GitLab Duo section to Security Managers.
References
- Project epic: SAST False Positive Detection - Add permission ... (gitlab-org#22422 - closed) • Charlie Kroon • 19.2
- Epic Phase Epic: gitlab-org#22422 (closed)
- Issue this MR is closing: #602869 (closed)
- Feature Flag Rollout Issue: #603450
Reference implementation: !239266 (merged)
Screenshots or screen recordings
-
With
update_false_positive_detection_setting_permissionfeature flag enabled - as security manager:
-
With the
update_false_positive_detection_setting_permissionand theupdate_sast_vr_setting_permissionfeature flags enabled:
How to set up and validate locally
-
Start GDK with support for Security Manager role
export GITLAB_SECURITY_MANAGER_ROLE=true gdk start -
Ensure that your instance has an active EE license. It should also have gitlab-duo enabled.
-
Enable the feature flag in the Rails console:
Feature.enable(:update_false_positive_detection_setting_permission) -
Log in as
rootand navigate to a project -
Add another user as a Security Manager on the project
-
Log out, then log in as the Security Manager user
-
Navigate to the project's Settings > General. Verify that only the Turn on SAST false positive detection toggle is visible (along with the Save button). Other Duo settings (Duo enable toggle, flow execution, tool approval, exclusion settings, etc.) should not be visible.
-
Verify the toggle can be toggled and saved
-
Now go to the
Secure > Audit eventsand check if the audit event was created after you saved your changes. -
Now go back to the rails console, and also enable
update_sast_vr_setting_permissionfeature flag by running:
Feature.enable(:update_sast_vr_setting_permission)- Refresh the General Settings page, now both toggles should be visible.
- Now go ahead and disable
update_false_positive_detection_setting_permissionand verify the FP detection toggle is no longer visible to the Security Manager - Log back in as
root/Maintainer and verify all Duo settings are still visible as normal
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

