## Summary The current implementation of Secret Detection auto-resolves findings (marking them as fixed) for every scan that is ran by diffing between pipeline executions. With the introduction of historic scanning and with the future feature of MR scanning we do not want to auto resolve as this would effectively erase secret vulnerabilities that are still present in the git history. Let's use the [example](https://gitlab.com/gitlab-org/gitlab/-/issues/36860#note_359817734) that @twoodham laid out to demonstrate why auto-resolving is a problem: 1. Large project turns on secret detection later in its life. 2. Historic secrets scan kicked off, detecting many leaked secrets. 3. User picks one leaked secret to resolve and pushes up an MR for just that artifact. 4. MR for one leaked secret is merged, properly resolving that one item. 5. Due to absence of other secrets being reported by new CI job, they're also auto-resolved...even though they still exist in the repository's history. ## Related Issues https://gitlab.com/gitlab-org/gitlab/-/issues/36860 <!-- Please briefly describe what part of the code base needs to be refactored. --> ## Improvements Removing auto-resolving of secret vulnerabilities allows us to move forward on enabling accurate secret detection for MRs and further iterate on historic secret scanning. <!-- Explain the benefits of refactoring this code. See also https://about.gitlab.com/handbook/values/index.html#say-why-not-just-what --> ## Risks Added tedium for users -- they will have to manually resolve secret vulnerabilities. <!-- Please list features that can break because of this refactoring and how you intend to solve that. --> ## Involved components TODO <!-- List files or directories that will be changed by the refactoring. --> ## Optional: Intended side effects <!-- If the refactoring involves changes apart from the main improvements (such as a better UI), list them here. It may be a good idea to create separate issues and link them here. --> ## Optional: Missing test coverage <!-- If you are aware of tests that need to be written or adjusted apart from unit tests for the changed components, please list them here. -->