Clarify security approval rules in documentation

5817e703 · Thiago Figueiró · Nick Gaskill · 1986aa02 · 5817e703
Commit 5817e703 authored Aug 19, 2020 by Thiago Figueiró Committed by Nick Gaskill Aug 19, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 4 deletions

doc/user/application_security/index.md doc/user/application_security/index.md +5 -4

No files found.
--- a/doc/user/application_security/index.md
+++ b/doc/user/application_security/index.md
@@ -321,14 +321,15 @@ Once this group is added to your project, the approval rule is enabled for all m

 Any code changes cause the approvals required to reset.

-An approval is required when a security report:
+An approval is required when the latest security report in a merge request:

- Contains a new vulnerability of `high`, `critical`, or `unknown` severity, regardless of dismissal.
+- Contains a vulnerability of `high`, `critical`, or `unknown` severity that is not present in the
+  target branch. Note that approval is still required for dismissed vulnerabilities.
 - Is not generated during pipeline execution.

-An approval is optional when a security report:
+An approval is optional when the security report:

- Contains no new vulnerabilities.
+- Contains no new vulnerabilities when compared to the target branch.
 - Contains only new vulnerabilities of `low` or `medium` severity.

 ## Enabling License Approvals within a project