Fix "Security & Compliance" access for auditors

Enable accessing the "Security & Compliance" related pages for auditor
users if the feature is not explicitly disabled.

Changelog: fixed
EE: true

ee/app/policies/ee/project_policy.rb

@@ -266,6 +266,10 @@ module EE
         enable :read_pages
       end
 
+      rule { ~security_and_compliance_disabled & auditor }.policy do
+        enable :access_security_and_compliance
+      end
+
       rule { auditor & security_dashboard_enabled }.policy do
         enable :read_vulnerability
         enable :read_vulnerability_scanner

ee/spec/policies/project_policy_spec.rb

@@ -456,6 +456,28 @@ RSpec.describe ProjectPolicy do
     end
   end
 
+  describe 'access_security_and_compliance' do
+    context 'when the user is auditor' do
+      let(:current_user) { create(:user, :auditor) }
+
+      before do
+        project.project_feature.update!(security_and_compliance_access_level: access_level)
+      end
+
+      context 'when the "Security & Compliance" is not enabled' do
+        let(:access_level) { Featurable::DISABLED }
+
+        it { is_expected.to be_disallowed(:access_security_and_compliance) }
+      end
+
+      context 'when the "Security & Compliance" is enabled' do
+        let(:access_level) { Featurable::PRIVATE }
+
+        it { is_expected.to be_allowed(:access_security_and_compliance) }
+      end
+    end
+  end
+
   describe 'vulnerability feedback permissions' do
     where(permission: %i[
       read_vulnerability_feedback