Link to more context (like the sast-rules changelog) when SAST findings are auto-resolved
Problem
When we remove rules, we auto-resolve the findings and leave a comment, currently:
This vulnerability was automatically resolved because its vulnerability type was disabled in this project or removed from GitLab's default ruleset.
However, actually finding out what happened, and whether or not the rules were removed by GitLab or a customer, is hard.
Proposal
Update the comment to link to the sast-rules changelog for any Semgrep-based findings that are auto-resolved.
Notes
- The comment is currently static and is used for both Semgrep- and KICS-based analyzers. (And theoretically it works for other analyzers who populate the right report metadata.) We would need to link to different places, or, to take a smaller iteration, only add a link for Semgrep.
- Or, we could link to a single docs page and disambiguate from there. In fact, a docs page listing out rules might be a better experience than dumping folks onto a changelog without context.
- This is set to high priority because it enables (or, if we are being strict, unblocks) Improve GitLab-maintained SAST rulesets (&10907).
Edited by Connor Gilbert