### Proposal Previously, it was decided that a new policy type for Vulnerability Results will be a separate policy. Scan result policies moving forward will stand alone as rules related to detecting vulnerabilities from scan result findings and blocking merge to defined branches when the rule is violated. If the rule is violated, established approvers may review and approve the merge request to pass with the detected vulnerabilities, or deny it and require action before proceeding. The philosophy behind the **Purpose/Action** of each policy: - Scan execution policy -> purpose is to create security scans - Merge request approval policy -> purpose is to manage security approval rules - Vulnerability management policy -> purpose is to manage the vulnerability, create auto actions ### Research We validated in https://gitlab.com/gitlab-org/ux-research/-/issues/2416 that users understand the name "Merge request approval policy" very well and no other options stood out as a preference. #### Changes in Documentation Previously it was suggested that we use "Security Merge Request Approval Policy" in docs, but this is becoming exceedingly long. Documentation will appear "Policies > Merge request approval policies". We could also update the parent page to Security Policies if we are concerned. Key docs pages that will need to be reviewed/updated: 1. https://docs.gitlab.com/ee/user/application_security/policies/ 2. https://docs.gitlab.com/ee/user/application_security/policies/scan-result-policies.html 3. https://docs.gitlab.com/ee/tutorials/scan_result_policy/ 4. https://docs.gitlab.com/ee/user/project/merge_requests/approvals/rules.html#security-approvals 5. https://docs.gitlab.com/ee/user/application_security/ 6. https://docs.gitlab.com/ee/user/compliance/license_approval_policies.html #### Changes in UI | Page | Screenshot | | - | - | | Policy List Page | <img src="/uploads/594625a0731ed8271c70198e8ffae8cc/Screenshot_2023-05-31_at_18.22.40.png" height=300 /> | | Policy Select Page | <img src="/uploads/91e906d87df1cd3eb73edfb56a7dea43/Frame_172.png" height=300 /> | | Policy Editor | <img src="/uploads/6a57121e7751da249a00ab1dfb7439b1/image.png" height=300 /> | #### Policy Select Page copy: This is the updated copy to use in the Policy Select Page listed above. **Merge request approval policy** When vulnerabilities are detected that violate my policy rules, block merge without required approvals. **Example** If any scanner finds a newly detected critical vulnerability in an open merge request targeting the main branch, then approvals from any two members of the application security team are required. ### Additional requirements 1. We should use \`approval_policy\` in all places: url, page title and \`type\` attribute. Although we need to still support `scan_result_policy` until %17.0.