## Summary When a security policy is created at the project or group level, existing vulnerabilities need to be enriched with KEV/EPSS data to enable policy evaluation against pre-existing findings. ## Problem Security policies that filter on KEV status or EPSS scores cannot evaluate pre-existing vulnerabilities because `security_finding_enrichments` records are only created when pipeline runs. This creates an inconsistent experience when security policy with KEV/EPSS filter has been deployed without default branch pipeline is run. This creates an inconsistent state as - Pre-existing vulnerabilities lack enrichment data - Policies cannot properly evaluate historical findings <details> <summary>Example Policy</summary> ```yaml approval_policy: - name: '' rules: - type: scan_finding vulnerability_states: - detected - confirmed - dismissed - resolved vulnerability_attributes: epss_score: value: 0.1 operator: greater_than ``` </details> See discussion for context: https://gitlab.com/groups/gitlab-org/-/epics/16311#note_2999757659 ## Proposal Enqueue a background worker when a security policy is created that: 1. Identifies all existing vulnerabilities in the default branch for the scope (project or group) ```ruby Vulnerability.present_on_default_branch.joins(:findings).merge(Vulnerabilities::Finding.joins(:cve_identifiers)) ``` 1. Creates `security_finding_enrichments` records with KEV/EPSS data 2. Handles bulk enrichment efficiently ## Acceptance Criteria - [ ] When a security policy is created at project level, a worker is enqueued to enrich existing project vulnerabilities - [ ] When a security policy is created at group level, a worker is enqueued to enrich existing vulnerabilities across all group projects - [ ] Worker creates `security_finding_enrichments` records for vulnerabilities with identifiable CVEs - [ ] Worker handles large volumes of vulnerabilities efficiently (batching/pagination) - [ ] Worker is idempotent and handles re-runs safely - [ ] Worker tracks completion status and handles failures gracefully