From e993abe241287f7bd868710ef665faa001570beb Mon Sep 17 00:00:00 2001
From: Dheeraj Joshi <djoshi@gitlab.com>
Date: Wed, 26 Nov 2025 20:24:23 +0530
Subject: [PATCH 1/3] Add scanner profile configuration section

---
 .../security_configuration/components/app.vue |  38 +++++-
 .../scanner_profile_configuration.vue         | 124 ++++++++++++++++++
 .../security_configuration/constants.js       |   4 +
 locale/gitlab.pot                             |  30 +++++
 4 files changed, 193 insertions(+), 3 deletions(-)
 create mode 100644 app/assets/javascripts/security_configuration/components/scanner_profile_configuration.vue

diff --git a/app/assets/javascripts/security_configuration/components/app.vue b/app/assets/javascripts/security_configuration/components/app.vue
index 7048e5b8b60baa..22251df4c2e39e 100644
--- a/app/assets/javascripts/security_configuration/components/app.vue
+++ b/app/assets/javascripts/security_configuration/components/app.vue
@@ -1,5 +1,14 @@
 <script>
-import { GlTab, GlTabs, GlSprintf, GlLink, GlAlert, GlButton, GlExperimentBadge } from '@gitlab/ui';
+import {
+  GlTab,
+  GlTabs,
+  GlSprintf,
+  GlLink,
+  GlAlert,
+  GlButton,
+  GlExperimentBadge,
+  GlBadge,
+} from '@gitlab/ui';
 import Api from '~/api';
 import LocalStorageSync from '~/vue_shared/components/local_storage_sync.vue';
 import UserCalloutDismisser from '~/vue_shared/components/user_callout_dismisser.vue';
@@ -25,6 +34,7 @@ import PipelineSecretDetectionFeatureCard from './pipeline_secret_detection_feat
 import SecretPushProtectionFeatureCard from './secret_push_protection_feature_card.vue';
 import TrainingProviderList from './training_provider_list.vue';
 import RefTrackingList from './ref_tracking_list.vue';
+import ScannerProfileConfiguration from './scanner_profile_configuration.vue';
 
 export default {
   i18n,
@@ -43,6 +53,7 @@ export default {
     GlSprintf,
     GlTab,
     GlTabs,
+    GlBadge,
     LocalStorageSync,
     SectionLayout,
     GlButton,
@@ -52,6 +63,7 @@ export default {
     UserCalloutDismisser,
     TrainingProviderList,
     RefTrackingList,
+    ScannerProfileConfiguration,
     ContainerScanningForRegistryFeatureCard: () =>
       import(
         'ee_component/security_configuration/components/container_scanning_for_registry_feature_card.vue'
@@ -138,8 +150,6 @@ export default {
       );
     },
     trackedRefsHelpPagePath() {
-      // Once the help page content is available, we can use the anchor to link to the specific section
-      // See issue: https://gitlab.com/gitlab-org/gitlab/-/issues/578081
       return helpPagePath('user/application_security/vulnerability_report/_index.md');
     },
   },
@@ -176,6 +186,9 @@ export default {
         Api.trackRedisHllUserEvent(SERVICE_PING_SECURITY_CONFIGURATION_THREAT_MANAGEMENT_VISIT);
       }
     },
+    handleApplyProfile() {
+      // console.log('Apply profile for scanner:', scanner);
+    },
   },
   autoDevopsEnabledAlertStorageKey: AUTO_DEVOPS_ENABLED_ALERT_DISMISSED_STORAGE_KEY,
 };
@@ -233,6 +246,25 @@ export default {
           @dismiss="dismissAutoDevopsEnabledAlert"
         />
 
+        <section-layout stacked class="gl-border-b-0" :heading="$options.i18n.securityProfiles">
+          <template #heading>
+            <div class="gl-display-flex gl-align-items-center">
+              <span>{{ $options.i18n.securityProfiles }}</span>
+              <gl-badge variant="info" class="gl-ml-3">
+                {{ __('Recommended') }}
+              </gl-badge>
+            </div>
+          </template>
+          <template #description>
+            <p>
+              {{ $options.i18n.securityProfilesDesc }}
+            </p>
+          </template>
+          <template #features>
+            <scanner-profile-configuration @apply-profile="handleApplyProfile" />
+          </template>
+        </section-layout>
+
         <section-layout stacked class="gl-border-b-0" :heading="$options.i18n.securityTesting">
           <template #description>
             <p>
diff --git a/app/assets/javascripts/security_configuration/components/scanner_profile_configuration.vue b/app/assets/javascripts/security_configuration/components/scanner_profile_configuration.vue
new file mode 100644
index 00000000000000..f7a7c4bf1a44ff
--- /dev/null
+++ b/app/assets/javascripts/security_configuration/components/scanner_profile_configuration.vue
@@ -0,0 +1,124 @@
+<script>
+import { GlTable, GlButton, GlIcon } from '@gitlab/ui';
+import { __ } from '~/locale';
+
+export default {
+  name: 'ScannerProfileConfiguration',
+  components: {
+    GlTable,
+    GlButton,
+    GlIcon,
+  },
+  inject: ['projectFullPath'],
+  emits: ['apply-profile'],
+  data() {
+    return {
+      fields: [
+        {
+          key: 'scanner',
+          label: __('Scanner'),
+        },
+        {
+          key: 'profile',
+          label: __('Profile'),
+        },
+        {
+          key: 'status',
+          label: __('Status'),
+        },
+        {
+          key: 'lastScan',
+          label: __('Last scan'),
+        },
+        {
+          key: 'actions',
+          label: '',
+        },
+      ],
+      scanners: [
+        {
+          id: 'secret-push-protection',
+          scannerCode: 'SD',
+          scannerName: __('Secret Push Protection'),
+          scannerTooltip: __('Prevents secrets from being pushed to your repository'),
+          profile: __('No profile applied'),
+          statusIcon: 'close',
+          statusText: __('Not configured'),
+          statusDescription: __('Apply profile to enable'),
+          lastScan: '—',
+          showApplyButton: true,
+        },
+      ],
+    };
+  },
+  methods: {
+    handleApplyProfile(scanner) {
+      this.$emit('apply-profile', scanner);
+    },
+  },
+};
+</script>
+
+<template>
+  <div>
+    <gl-table :items="scanners" :fields="fields" stacked="sm">
+      <template #head(profile)="data">
+        <div class="gl-display-flex gl-align-items-center">
+          <span>{{ data.label }}</span>
+          <gl-icon
+            v-gl-tooltip
+            name="information-o"
+            :title="__('Profiles define scanner configurations')"
+            class="gl-ml-2"
+          />
+        </div>
+      </template>
+
+      <template #cell(scanner)="{ item }">
+        <div class="gl-display-flex gl-align-items-center">
+          <div
+            class="gl-display-flex gl-align-items-center gl-justify-content-center gl-border gl-mr-3 gl-rounded-base gl-p-2"
+            style="width: 32px; height: 32px"
+          >
+            <span class="gl-font-weight-bold gl-font-sm">{{ item.scannerCode }}</span>
+          </div>
+          <span class="gl-font-weight-bold">{{ item.scannerName }}</span>
+          <gl-icon v-gl-tooltip name="information-o" :title="item.scannerTooltip" class="gl-ml-2" />
+        </div>
+      </template>
+
+      <template #cell(profile)="{ item }">
+        <span>{{ item.profile }}</span>
+      </template>
+
+      <template #cell(status)="{ item }">
+        <div>
+          <div class="gl-display-flex gl-align-items-center gl-mb-2">
+            <gl-icon :name="item.statusIcon" class="gl-mr-2 gl-text-red-500" />
+            <span>{{ item.statusText }}</span>
+          </div>
+          <div class="gl-font-sm gl-text-secondary">
+            {{ item.statusDescription }}
+          </div>
+        </div>
+      </template>
+
+      <template #cell(lastScan)="{ item }">
+        <span>{{ item.lastScan }}</span>
+      </template>
+
+      <template #cell(actions)="{ item }">
+        <gl-button
+          v-if="item.showApplyButton"
+          variant="confirm"
+          category="secondary"
+          size="small"
+          icon="eye"
+          @click="handleApplyProfile(item)"
+        >
+          {{ __('Apply default profile') }}
+        </gl-button>
+      </template>
+    </gl-table>
+  </div>
+</template>
diff --git a/app/assets/javascripts/security_configuration/constants.js b/app/assets/javascripts/security_configuration/constants.js
index 23666abad34bb7..861839f96bfee0 100644
--- a/app/assets/javascripts/security_configuration/constants.js
+++ b/app/assets/javascripts/security_configuration/constants.js
@@ -165,4 +165,8 @@ export const i18n = {
     'SecurityConfiguration|Enable security training to help your developers learn how to fix vulnerabilities. Developers can view security training from selected educational providers, relevant to the detected vulnerability. Please note that security training is not accessible in an environment that is offline.',
   ),
   securityTrainingDoc: s__('SecurityConfiguration|Learn more about vulnerability training'),
+  securityProfiles: s__('SecurityConfiguration|Profile-based scanner configuration'),
+  securityProfilesDesc: s__(
+    'SecurityConfiguration|Define security settings once, reuse them everywhere. Update a profile and changes automatically apply to every project using it, ensuring consistent, predictable security coverage with minimal effort.',
+  ),
 };
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index ea52711dad2bde..65a4cd0ddec0b7 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -9102,6 +9102,12 @@ msgstr ""
 msgid "Apply a template"
 msgstr ""
 
+msgid "Apply default profile"
+msgstr ""
+
+msgid "Apply profile to enable"
+msgstr ""
+
 msgid "Apply selected attributes to projects (keeps existing attributes)"
 msgstr ""
 
@@ -44374,6 +44380,9 @@ msgstr ""
 msgid "No prioritized labels yet!"
 msgstr ""
 
+msgid "No profile applied"
+msgstr ""
+
 msgid "No project found"
 msgstr ""
 
@@ -44557,6 +44566,9 @@ msgstr ""
 msgid "Not confidential"
 msgstr ""
 
+msgid "Not configured"
+msgstr ""
+
 msgid "Not enabled"
 msgstr ""
 
@@ -50697,6 +50709,9 @@ msgstr ""
 msgid "Prevent users from performing write operations while GitLab maintenance is in progress."
 msgstr ""
 
+msgid "Prevents secrets from being pushed to your repository"
+msgstr ""
+
 msgid "Preview"
 msgstr ""
 
@@ -51090,6 +51105,9 @@ msgstr ""
 msgid "ProfileSession|on"
 msgstr ""
 
+msgid "Profiles define scanner configurations"
+msgstr ""
+
 msgid "ProfilesAuthentication|Add a passkey to sign in securely with your trusted device. %{link_start}Learn more about passkeys%{link_end}."
 msgstr ""
 
@@ -54883,6 +54901,9 @@ msgstr ""
 msgid "Recently viewed"
 msgstr ""
 
+msgid "Recommended"
+msgstr ""
+
 msgid "Recommended. Permanently delete an item:"
 msgstr ""
 
@@ -59216,6 +59237,9 @@ msgstr ""
 msgid "Secret Detection"
 msgstr ""
 
+msgid "Secret Push Protection"
+msgstr ""
+
 msgid "Secret detection"
 msgstr ""
 
@@ -59915,6 +59939,9 @@ msgstr ""
 msgid "SecurityConfiguration|Customize common SAST settings to suit your requirements. Configuration changes made here override those provided by GitLab and are excluded from updates. For details of more advanced configuration options, see the %{linkStart}GitLab SAST documentation%{linkEnd}."
 msgstr ""
 
+msgid "SecurityConfiguration|Define security settings once, reuse them everywhere. Update a profile and changes automatically apply to every project using it, ensuring consistent, predictable security coverage with minimal effort."
+msgstr ""
+
 msgid "SecurityConfiguration|Enable %{feature}"
 msgstr ""
 
@@ -59960,6 +59987,9 @@ msgstr ""
 msgid "SecurityConfiguration|Once you've enabled a scan for the default branch, any subsequent feature branch you create will include the scan. An enabled scanner will not be reflected as such until the pipeline has been successfully executed and it has generated valid artifacts."
 msgstr ""
 
+msgid "SecurityConfiguration|Profile-based scanner configuration"
+msgstr ""
+
 msgid "SecurityConfiguration|Quickly enable all continuous testing and compliance tools by enabling %{linkStart}Auto DevOps%{linkEnd}"
 msgstr ""
 
-- 
GitLab


From 66a0d745881988b9961614ea9113d60bea7b1717 Mon Sep 17 00:00:00 2001
From: Dheeraj Joshi <djoshi@gitlab.com>
Date: Thu, 11 Dec 2025 12:00:32 +0530
Subject: [PATCH 2/3] Add graphql resolvers

---
 .../scanner_profile_configuration.vue         | 263 ++++++++++++++++++
 ...lable_security_scan_profiles.query.graphql |  11 +
 ...oject_security_scan_profiles.query.graphql |  11 +
 .../graphql/scan_profiles/resolvers.js        |  64 +++++
 .../scan_profile.fragment.graphql             |   7 +
 ...security_scan_profile.client.query.graphql |   7 +
 ...urity_scan_profile_attach.mutation.graphql |  17 ++
 ...urity_scan_profile_detach.mutation.graphql |  16 ++
 8 files changed, 396 insertions(+)
 create mode 100644 app/assets/javascripts/security_configuration/components/scan_profiles/scanner_profile_configuration.vue
 create mode 100644 app/assets/javascripts/security_configuration/graphql/scan_profiles/group_available_security_scan_profiles.query.graphql
 create mode 100644 app/assets/javascripts/security_configuration/graphql/scan_profiles/project_security_scan_profiles.query.graphql
 create mode 100644 app/assets/javascripts/security_configuration/graphql/scan_profiles/resolvers.js
 create mode 100644 app/assets/javascripts/security_configuration/graphql/scan_profiles/scan_profile.fragment.graphql
 create mode 100644 app/assets/javascripts/security_configuration/graphql/scan_profiles/security_scan_profile.client.query.graphql
 create mode 100644 app/assets/javascripts/security_configuration/graphql/scan_profiles/security_scan_profile_attach.mutation.graphql
 create mode 100644 app/assets/javascripts/security_configuration/graphql/scan_profiles/security_scan_profile_detach.mutation.graphql

diff --git a/app/assets/javascripts/security_configuration/components/scan_profiles/scanner_profile_configuration.vue b/app/assets/javascripts/security_configuration/components/scan_profiles/scanner_profile_configuration.vue
new file mode 100644
index 00000000000000..ae5a14a26e78e6
--- /dev/null
+++ b/app/assets/javascripts/security_configuration/components/scan_profiles/scanner_profile_configuration.vue
@@ -0,0 +1,263 @@
+<script>
+import {
+  GlTable,
+  GlButton,
+  GlIcon,
+  GlBadge,
+  GlLoadingIcon,
+  GlAlert,
+  GlTooltipDirective,
+} from '@gitlab/ui';
+import { __ } from '~/locale';
+
+import groupAvailableSecurityScanProfilesQuery from '../../graphql/scan_profiles/group_available_security_scan_profiles.query.graphql';
+import projectSecurityScanProfilesQuery from '../../graphql/scan_profiles/project_security_scan_profiles.query.graphql';
+import attachMutation from '../../graphql/scan_profiles/security_scan_profile_attach.mutation.graphql';
+import detachMutation from '../../graphql/scan_profiles/security_scan_profile_detach.mutation.graphql';
+
+export default {
+  name: 'ScannerProfileConfiguration',
+  components: {
+    GlTable,
+    GlButton,
+    GlIcon,
+    GlBadge,
+    GlLoadingIcon,
+    GlAlert,
+  },
+  directives: {
+    GlTooltip: GlTooltipDirective,
+  },
+  inject: ['projectFullPath', 'groupFullPath'],
+  data() {
+    return {
+      alertMessage: '',
+      busy: false,
+      fields: [
+        { key: 'scanner', label: __('Scanner') },
+        { key: 'profile', label: __('Profile') },
+        { key: 'status', label: __('Status') },
+        { key: 'lastScan', label: __('Last scan') },
+        { key: 'actions', label: '' },
+      ],
+      scanners: [
+        {
+          id: 'secret-detection',
+          scannerCode: 'SD',
+          scannerName: __('Secret Push Protection'),
+          scannerTooltip: __(
+            'Prevents secrets from being pushed to your repository using baseline detection rules.',
+          ),
+          scanTypeEnum: 'SECRET_DETECTION',
+          lastScan: '—',
+        },
+      ],
+    };
+  },
+
+  apollo: {
+    availableProfiles: {
+      query: groupAvailableSecurityScanProfilesQuery,
+      variables() {
+        return {
+          fullPath: this.groupFullPath,
+          type: 'SECRET_DETECTION',
+        };
+      },
+      update: (data) => data?.group?.availableSecurityScanProfiles || [],
+      error(error) {
+        this.alertMessage = error.message;
+      },
+    },
+
+    attachedProfiles: {
+      query: projectSecurityScanProfilesQuery,
+      variables() {
+        return { fullPath: this.projectFullPath };
+      },
+      update: (data) => data?.project?.securityScanProfiles || [],
+      error(error) {
+        this.alertMessage = error.message;
+      },
+    },
+  },
+
+  computed: {
+    tableItems() {
+      return this.scanners.map((base) => {
+        const attached = this.attachedProfiles.find((p) => p.scanType === base.scanTypeEnum);
+        const profileLabel = attached ? attached.name : __('No profile applied');
+
+        return {
+          ...base,
+          attachedProfileId: attached?.id || null,
+          isConfigured: Boolean(attached),
+          profileLabel,
+          statusVariant: attached ? 'success' : 'danger',
+          statusText: attached ? __('Configured') : __('Not configured'),
+          statusDescription: attached
+            ? __('Profile applied')
+            : __('Apply default profile to enable'),
+        };
+      });
+    },
+  },
+
+  methods: {
+    findDefaultProfileIdFor(scanner) {
+      const matches =
+        this.availableProfiles?.filter((p) => p.scanType === scanner.scanTypeEnum) || [];
+
+      // First use persisted custom profile if available, otherwise template
+      const persisted = matches.find((p) => p.gitlabRecommended === false);
+      if (persisted) {
+        return persisted.id;
+      }
+
+      const template = matches.find((p) => p.gitlabRecommended === true);
+      if (template) {
+        return template.id;
+      }
+
+      // Final fallback
+      return 'gid://gitlab/Security::ScanProfile/secret_detection';
+    },
+
+    async attach(scanner) {
+      this.busy = true;
+      try {
+        const profileId = this.findDefaultProfileIdFor(scanner);
+        const projectId = this.$apollo.queries.attachedProfiles.data?.project?.id;
+
+        await this.$apollo.mutate({
+          mutation: attachMutation,
+          variables: {
+            input: {
+              securityScanProfileId: profileId,
+              projectIds: [projectId],
+            },
+          },
+          refetchQueries: [
+            {
+              query: projectSecurityScanProfilesQuery,
+              variables: { fullPath: this.projectFullPath },
+            },
+          ],
+        });
+      } catch (error) {
+        this.alertMessage = error.message;
+      } finally {
+        this.busy = false;
+      }
+    },
+
+    async detach(scanner) {
+      if (!scanner.attachedProfileId) {
+        return;
+      }
+
+      const projectId = this.$apollo.queries.attachedProfiles.data?.project?.id;
+
+      this.busy = true;
+      try {
+        await this.$apollo.mutate({
+          mutation: detachMutation,
+          variables: {
+            input: {
+              securityScanProfileId: scanner.attachedProfileId,
+              projectIds: [projectId],
+            },
+          },
+          refetchQueries: [
+            {
+              query: projectSecurityScanProfilesQuery,
+              variables: { fullPath: this.projectFullPath },
+            },
+          ],
+        });
+      } catch (error) {
+        this.alertMessage = error.message;
+      } finally {
+        this.busy = false;
+      }
+    },
+  },
+};
+</script>
+
+<template>
+  <div>
+    <gl-alert
+      v-if="alertMessage"
+      variant="danger"
+      :dismissible="true"
+      @dismiss="alertMessage = ''"
+      class="gl-mb-4"
+    >
+      {{ alertMessage }}
+    </gl-alert>
+
+    <gl-table :items="tableItems" :fields="fields" stacked="sm" show-empty>
+      <template #cell(scanner)="{ item }">
+        <div class="gl-display-flex gl-align-items-center">
+          <div
+            class="gl-display-flex gl-align-items-center gl-justify-content-center gl-border gl-mr-3 gl-rounded-base gl-p-2"
+            style="width: 32px; height: 32px"
+          >
+            <span class="gl-font-weight-bold gl-font-sm">{{ item.scannerCode }}</span>
+          </div>
+          <span class="gl-font-weight-bold">{{ item.scannerName }}</span>
+          <gl-icon
+            v-gl-tooltip
+            name="information-o"
+            class="gl-ml-2 gl-text-secondary"
+            :title="item.scannerTooltip"
+          />
+        </div>
+      </template>
+
+      <template #cell(profile)="{ item }">
+        <span>{{ item.profileLabel }}</span>
+      </template>
+
+      <template #cell(status)="{ item }">
+        <gl-badge :variant="item.statusVariant">{{ item.statusText }}</gl-badge>
+        <div class="gl-font-sm gl-mt-2 gl-text-secondary">
+          {{ item.statusDescription }}
+        </div>
+      </template>
+
+      <template #cell(lastScan)="{ item }">
+        <span>{{ item.lastScan }}</span>
+      </template>
+
+      <template #cell(actions)="{ item }">
+        <div class="gl-display-flex gl-gap-3">
+          <gl-button
+            v-if="!item.isConfigured"
+            :disabled="busy"
+            variant="confirm"
+            category="secondary"
+            size="small"
+            @click="attach(item)"
+          >
+            <gl-loading-icon v-if="busy" inline class="gl-mr-2" />
+            {{ __('Apply default profile') }}
+          </gl-button>
+
+          <gl-button
+            v-else
+            :disabled="busy"
+            variant="danger"
+            category="secondary"
+            size="small"
+            @click="detach(item)"
+          >
+            <gl-loading-icon v-if="busy" inline class="gl-mr-2" />
+            {{ __('Detach profile') }}
+          </gl-button>
+        </div>
+      </template>
+    </gl-table>
+  </div>
+</template>
diff --git a/app/assets/javascripts/security_configuration/graphql/scan_profiles/group_available_security_scan_profiles.query.graphql b/app/assets/javascripts/security_configuration/graphql/scan_profiles/group_available_security_scan_profiles.query.graphql
new file mode 100644
index 00000000000000..f29dae27de9c83
--- /dev/null
+++ b/app/assets/javascripts/security_configuration/graphql/scan_profiles/group_available_security_scan_profiles.query.graphql
@@ -0,0 +1,11 @@
+query GroupAvailableSecurityScanProfiles($fullPath: ID!, $type: SecurityScanProfileType) {
+  group(fullPath: $fullPath) {
+    id
+    name
+    availableSecurityScanProfiles(type: $type) {
+      ...ScanProfileFields
+    }
+  }
+}
+
+#import "./scan_profile.fragment.graphql"
diff --git a/app/assets/javascripts/security_configuration/graphql/scan_profiles/project_security_scan_profiles.query.graphql b/app/assets/javascripts/security_configuration/graphql/scan_profiles/project_security_scan_profiles.query.graphql
new file mode 100644
index 00000000000000..446b422ef27177
--- /dev/null
+++ b/app/assets/javascripts/security_configuration/graphql/scan_profiles/project_security_scan_profiles.query.graphql
@@ -0,0 +1,11 @@
+query ProjectSecurityScanProfiles($fullPath: ID!) {
+  project(fullPath: $fullPath) {
+    id
+    name
+    securityScanProfiles {
+      ...ScanProfileFields
+    }
+  }
+}
+
+#import "./scan_profile.fragment.graphql"
diff --git a/app/assets/javascripts/security_configuration/graphql/scan_profiles/resolvers.js b/app/assets/javascripts/security_configuration/graphql/scan_profiles/resolvers.js
new file mode 100644
index 00000000000000..e5134b40a74671
--- /dev/null
+++ b/app/assets/javascripts/security_configuration/graphql/scan_profiles/resolvers.js
@@ -0,0 +1,64 @@
+// resolvers.js
+
+import { InMemoryCache } from '@apollo/client/core';
+
+const mockAttachedByProject = {};
+// Example structure:
+// { "gid://gitlab/Project/19": ["gid://gitlab/Security::ScanProfile/1"] }
+
+export default {
+  Query: {
+    securityScanProfile(_, { id }, { cache }) {
+      // Virtual object for now.
+      // Backend will replace this once merged.
+      return {
+        id,
+        name: 'Secret Push Protection (default)',
+        description:
+          'Mock profile until backend merge. Provides secret detection using baseline rules.',
+        scanType: 'SECRET_DETECTION',
+        gitlabRecommended: true,
+        __typename: 'ScanProfileType',
+      };
+    },
+  },
+
+  Mutation: {
+    securityScanProfileAttach(_, { input }, { cache }) {
+      const { securityScanProfileId, projectIds = [] } = input;
+
+      projectIds.forEach((projectId) => {
+        if (!mockAttachedByProject[projectId]) {
+          mockAttachedByProject[projectId] = [];
+        }
+        if (!mockAttachedByProject[projectId].includes(securityScanProfileId)) {
+          mockAttachedByProject[projectId].push(securityScanProfileId);
+        }
+      });
+
+      return {
+        clientMutationId: input.clientMutationId || null,
+        errors: [],
+        __typename: 'SecurityScanProfileAttachPayload',
+      };
+    },
+
+    securityScanProfileDetach(_, { input }, { cache }) {
+      const { securityScanProfileId, projectIds = [] } = input;
+
+      projectIds.forEach((projectId) => {
+        if (mockAttachedByProject[projectId]) {
+          mockAttachedByProject[projectId] = mockAttachedByProject[projectId].filter(
+            (id) => id !== securityScanProfileId,
+          );
+        }
+      });
+
+      return {
+        clientMutationId: input.clientMutationId || null,
+        errors: [],
+        __typename: 'SecurityScanProfileDetachPayload',
+      };
+    },
+  },
+};
diff --git a/app/assets/javascripts/security_configuration/graphql/scan_profiles/scan_profile.fragment.graphql b/app/assets/javascripts/security_configuration/graphql/scan_profiles/scan_profile.fragment.graphql
new file mode 100644
index 00000000000000..734d35283ebe7e
--- /dev/null
+++ b/app/assets/javascripts/security_configuration/graphql/scan_profiles/scan_profile.fragment.graphql
@@ -0,0 +1,7 @@
+fragment ScanProfileFields on ScanProfileType {
+  id
+  name
+  description
+  scanType
+  gitlabRecommended
+}
diff --git a/app/assets/javascripts/security_configuration/graphql/scan_profiles/security_scan_profile.client.query.graphql b/app/assets/javascripts/security_configuration/graphql/scan_profiles/security_scan_profile.client.query.graphql
new file mode 100644
index 00000000000000..184b441965fc1e
--- /dev/null
+++ b/app/assets/javascripts/security_configuration/graphql/scan_profiles/security_scan_profile.client.query.graphql
@@ -0,0 +1,7 @@
+query SecurityScanProfile($id: SecurityScanProfileID!) {
+  securityScanProfile(id: $id) @client {
+    ...ScanProfileFields
+  }
+}
+
+#import "./scan_profile.fragment.graphql"
diff --git a/app/assets/javascripts/security_configuration/graphql/scan_profiles/security_scan_profile_attach.mutation.graphql b/app/assets/javascripts/security_configuration/graphql/scan_profiles/security_scan_profile_attach.mutation.graphql
new file mode 100644
index 00000000000000..b7efaf608f853b
--- /dev/null
+++ b/app/assets/javascripts/security_configuration/graphql/scan_profiles/security_scan_profile_attach.mutation.graphql
@@ -0,0 +1,17 @@
+mutation SecurityScanProfileAttach($input: SecurityScanProfileAttachInput!) {
+  securityScanProfileAttach(input: $input) @client {
+    clientMutationId
+    errors
+  }
+}
+
+#import "./scan_profile.fragment.graphql"
+
+#Example
+#{
+#  "input": {
+#    "securityScanProfileId": "gid://gitlab/Security::ScanProfile/secret_detection",
+#    "projectIds": ["gid://gitlab/Project/19"],
+#    "groupIds": []
+#  }
+#}
diff --git a/app/assets/javascripts/security_configuration/graphql/scan_profiles/security_scan_profile_detach.mutation.graphql b/app/assets/javascripts/security_configuration/graphql/scan_profiles/security_scan_profile_detach.mutation.graphql
new file mode 100644
index 00000000000000..170ad34bb53fcc
--- /dev/null
+++ b/app/assets/javascripts/security_configuration/graphql/scan_profiles/security_scan_profile_detach.mutation.graphql
@@ -0,0 +1,16 @@
+mutation SecurityScanProfileDetach($input: SecurityScanProfileDetachInput!) {
+  securityScanProfileDetach(input: $input) @client {
+    clientMutationId
+    errors
+  }
+}
+
+#import "./scan_profile.fragment.graphql"
+
+#Example
+#{
+#  "input": {
+#    "securityScanProfileId": "gid://gitlab/Security::ScanProfile/1",
+#    "projectIds": ["gid://gitlab/Project/19"]
+#  }
+#}
-- 
GitLab


From 41c1bf8ccc940641af9a0f3dea2ba097fef8ec0b Mon Sep 17 00:00:00 2001
From: Dheeraj Joshi <djoshi@gitlab.com>
Date: Thu, 11 Dec 2025 16:10:13 +0530
Subject: [PATCH 3/3] Add integration with resolvers

---
 .../security_configuration/components/app.vue |   2 +-
 .../scanner_profile_configuration.vue         | 252 ++++++++++--------
 .../scan_profiles/scanner_profile_modal.vue   |  78 ++++++
 .../components/scan_profiles/scanner_row.vue  |  88 ++++++
 .../graphql/scan_profiles/resolvers.js        | 152 ++++++++---
 5 files changed, 422 insertions(+), 150 deletions(-)
 create mode 100644 app/assets/javascripts/security_configuration/components/scan_profiles/scanner_profile_modal.vue
 create mode 100644 app/assets/javascripts/security_configuration/components/scan_profiles/scanner_row.vue

diff --git a/app/assets/javascripts/security_configuration/components/app.vue b/app/assets/javascripts/security_configuration/components/app.vue
index 22251df4c2e39e..00e35adc8f267b 100644
--- a/app/assets/javascripts/security_configuration/components/app.vue
+++ b/app/assets/javascripts/security_configuration/components/app.vue
@@ -34,7 +34,7 @@ import PipelineSecretDetectionFeatureCard from './pipeline_secret_detection_feat
 import SecretPushProtectionFeatureCard from './secret_push_protection_feature_card.vue';
 import TrainingProviderList from './training_provider_list.vue';
 import RefTrackingList from './ref_tracking_list.vue';
-import ScannerProfileConfiguration from './scanner_profile_configuration.vue';
+import ScannerProfileConfiguration from './scan_profiles/scanner_profile_configuration.vue';
 
 export default {
   i18n,
diff --git a/app/assets/javascripts/security_configuration/components/scan_profiles/scanner_profile_configuration.vue b/app/assets/javascripts/security_configuration/components/scan_profiles/scanner_profile_configuration.vue
index ae5a14a26e78e6..4e9c445595def2 100644
--- a/app/assets/javascripts/security_configuration/components/scan_profiles/scanner_profile_configuration.vue
+++ b/app/assets/javascripts/security_configuration/components/scan_profiles/scanner_profile_configuration.vue
@@ -1,38 +1,36 @@
 <script>
-import {
-  GlTable,
-  GlButton,
-  GlIcon,
-  GlBadge,
-  GlLoadingIcon,
-  GlAlert,
-  GlTooltipDirective,
-} from '@gitlab/ui';
+import { GlTable, GlButton, GlIcon, GlAlert, GlTooltipDirective } from '@gitlab/ui';
 import { __ } from '~/locale';
 
-import groupAvailableSecurityScanProfilesQuery from '../../graphql/scan_profiles/group_available_security_scan_profiles.query.graphql';
-import projectSecurityScanProfilesQuery from '../../graphql/scan_profiles/project_security_scan_profiles.query.graphql';
+import availableProfilesQuery from '../../graphql/scan_profiles/group_available_security_scan_profiles.query.graphql';
+import projectProfilesQuery from '../../graphql/scan_profiles/project_security_scan_profiles.query.graphql';
 import attachMutation from '../../graphql/scan_profiles/security_scan_profile_attach.mutation.graphql';
 import detachMutation from '../../graphql/scan_profiles/security_scan_profile_detach.mutation.graphql';
+import ScannerProfileModal from './scanner_profile_modal.vue';
 
 export default {
   name: 'ScannerProfileConfiguration',
+
   components: {
     GlTable,
     GlButton,
     GlIcon,
-    GlBadge,
-    GlLoadingIcon,
     GlAlert,
+    ScannerProfileModal,
   },
-  directives: {
-    GlTooltip: GlTooltipDirective,
-  },
+
+  directives: { GlTooltip: GlTooltipDirective },
+
   inject: ['projectFullPath', 'groupFullPath'],
+
   data() {
     return {
       alertMessage: '',
       busy: false,
+
+      modalVisible: false,
+      modalProfileId: null,
+
       fields: [
         { key: 'scanner', label: __('Scanner') },
         { key: 'profile', label: __('Profile') },
@@ -40,164 +38,157 @@ export default {
         { key: 'lastScan', label: __('Last scan') },
         { key: 'actions', label: '' },
       ],
+
       scanners: [
         {
           id: 'secret-detection',
           scannerCode: 'SD',
           scannerName: __('Secret Push Protection'),
-          scannerTooltip: __(
-            'Prevents secrets from being pushed to your repository using baseline detection rules.',
-          ),
-          scanTypeEnum: 'SECRET_DETECTION',
+          scannerTooltip: __('Prevents secrets from being pushed to your repository'),
+          profile: __('No profile applied'),
+          statusIcon: 'close',
+          statusText: __('Not configured'),
+          statusDescription: __('Apply profile to enable'),
           lastScan: '—',
+          showApplyButton: true,
+          attachedProfileId: null,
         },
       ],
+
+      availableProfiles: [],
+      attachedProfiles: [],
     };
   },
 
   apollo: {
     availableProfiles: {
-      query: groupAvailableSecurityScanProfilesQuery,
+      query: availableProfilesQuery,
       variables() {
-        return {
-          fullPath: this.groupFullPath,
-          type: 'SECRET_DETECTION',
-        };
-      },
-      update: (data) => data?.group?.availableSecurityScanProfiles || [],
-      error(error) {
-        this.alertMessage = error.message;
+        return { fullPath: this.groupFullPath, type: 'SECRET_DETECTION' };
       },
+      update: (data) => data.group.availableSecurityScanProfiles || [],
     },
 
     attachedProfiles: {
-      query: projectSecurityScanProfilesQuery,
+      query: projectProfilesQuery,
       variables() {
         return { fullPath: this.projectFullPath };
       },
-      update: (data) => data?.project?.securityScanProfiles || [],
-      error(error) {
-        this.alertMessage = error.message;
+      update: (data) => data.project.securityScanProfiles || [],
+      result() {
+        this.syncScannerState();
       },
     },
   },
 
-  computed: {
-    tableItems() {
-      return this.scanners.map((base) => {
-        const attached = this.attachedProfiles.find((p) => p.scanType === base.scanTypeEnum);
-        const profileLabel = attached ? attached.name : __('No profile applied');
-
-        return {
-          ...base,
-          attachedProfileId: attached?.id || null,
-          isConfigured: Boolean(attached),
-          profileLabel,
-          statusVariant: attached ? 'success' : 'danger',
-          statusText: attached ? __('Configured') : __('Not configured'),
-          statusDescription: attached
-            ? __('Profile applied')
-            : __('Apply default profile to enable'),
-        };
-      });
-    },
-  },
-
   methods: {
-    findDefaultProfileIdFor(scanner) {
-      const matches =
-        this.availableProfiles?.filter((p) => p.scanType === scanner.scanTypeEnum) || [];
-
-      // First use persisted custom profile if available, otherwise template
-      const persisted = matches.find((p) => p.gitlabRecommended === false);
-      if (persisted) {
-        return persisted.id;
-      }
+    syncScannerState() {
+      const profile = this.attachedProfiles[0];
+      const scanner = this.scanners[0];
 
-      const template = matches.find((p) => p.gitlabRecommended === true);
-      if (template) {
-        return template.id;
+      if (profile) {
+        scanner.profile = profile.name;
+        scanner.attachedProfileId = profile.id;
+        scanner.statusIcon = 'check-circle-filled';
+        scanner.statusText = __('Configured');
+        scanner.statusDescription = __('Profile applied');
+        scanner.showApplyButton = false;
+      } else {
+        scanner.profile = __('No profile applied');
+        scanner.attachedProfileId = null;
+        scanner.statusIcon = 'close';
+        scanner.statusText = __('Not configured');
+        scanner.statusDescription = __('Apply profile to enable');
+        scanner.showApplyButton = true;
       }
+    },
+
+    findDefaultProfileId() {
+      const profiles = this.availableProfiles;
+
+      const userDefined = profiles.find((p) => !p.gitlabRecommended);
+      if (userDefined) return userDefined.id;
 
-      // Final fallback
-      return 'gid://gitlab/Security::ScanProfile/secret_detection';
+      const recommended = profiles.find((p) => p.gitlabRecommended);
+      return recommended?.id || 'gid://gitlab/Security::ScanProfile/secret_detection';
     },
 
-    async attach(scanner) {
+    async handleApplyProfile() {
       this.busy = true;
       try {
-        const profileId = this.findDefaultProfileIdFor(scanner);
-        const projectId = this.$apollo.queries.attachedProfiles.data?.project?.id;
+        const defaultId = this.findDefaultProfileId();
+
+        const projectId = this.$apollo.queries.attachedProfiles?.data?.project?.id;
 
         await this.$apollo.mutate({
           mutation: attachMutation,
           variables: {
             input: {
-              securityScanProfileId: profileId,
+              securityScanProfileId: defaultId,
               projectIds: [projectId],
             },
           },
           refetchQueries: [
             {
-              query: projectSecurityScanProfilesQuery,
+              query: projectProfilesQuery,
               variables: { fullPath: this.projectFullPath },
             },
           ],
         });
-      } catch (error) {
-        this.alertMessage = error.message;
       } finally {
         this.busy = false;
       }
     },
 
-    async detach(scanner) {
-      if (!scanner.attachedProfileId) {
-        return;
-      }
-
-      const projectId = this.$apollo.queries.attachedProfiles.data?.project?.id;
-
+    async detachProfile() {
       this.busy = true;
       try {
+        const profileId = this.scanners[0].attachedProfileId;
+        const projectId = this.$apollo.queries.attachedProfiles.data.project.id;
+
         await this.$apollo.mutate({
           mutation: detachMutation,
           variables: {
             input: {
-              securityScanProfileId: scanner.attachedProfileId,
+              securityScanProfileId: profileId,
               projectIds: [projectId],
             },
           },
           refetchQueries: [
             {
-              query: projectSecurityScanProfilesQuery,
+              query: projectProfilesQuery,
               variables: { fullPath: this.projectFullPath },
             },
           ],
         });
-      } catch (error) {
-        this.alertMessage = error.message;
       } finally {
         this.busy = false;
       }
     },
+
+    openProfile() {
+      this.modalProfileId = this.scanners[0].attachedProfileId;
+      this.modalVisible = true;
+    },
   },
 };
 </script>
 
 <template>
   <div>
-    <gl-alert
-      v-if="alertMessage"
-      variant="danger"
-      :dismissible="true"
-      @dismiss="alertMessage = ''"
-      class="gl-mb-4"
-    >
-      {{ alertMessage }}
-    </gl-alert>
-
-    <gl-table :items="tableItems" :fields="fields" stacked="sm" show-empty>
+    <gl-table :items="scanners" :fields="fields" stacked="sm">
+      <template #head(profile)="data">
+        <div class="gl-display-flex gl-align-items-center">
+          <span>{{ data.label }}</span>
+          <gl-icon
+            v-gl-tooltip
+            name="information-o"
+            :title="__('Profiles define scanner configurations')"
+            class="gl-ml-2"
+          />
+        </div>
+      </template>
+
       <template #cell(scanner)="{ item }">
         <div class="gl-display-flex gl-align-items-center">
           <div
@@ -207,23 +198,33 @@ export default {
             <span class="gl-font-weight-bold gl-font-sm">{{ item.scannerCode }}</span>
           </div>
           <span class="gl-font-weight-bold">{{ item.scannerName }}</span>
-          <gl-icon
-            v-gl-tooltip
-            name="information-o"
-            class="gl-ml-2 gl-text-secondary"
-            :title="item.scannerTooltip"
-          />
+          <gl-icon v-gl-tooltip name="information-o" :title="item.scannerTooltip" class="gl-ml-2" />
         </div>
       </template>
 
       <template #cell(profile)="{ item }">
-        <span>{{ item.profileLabel }}</span>
+        <span>{{ item.profile }}</span>
+
+        <gl-button
+          v-if="item.attachedProfileId"
+          icon="eye"
+          category="tertiary"
+          size="small"
+          :aria-label="__(`View profile`)"
+          class="gl-ml-2"
+          @click="openProfile(item)"
+        />
       </template>
 
       <template #cell(status)="{ item }">
-        <gl-badge :variant="item.statusVariant">{{ item.statusText }}</gl-badge>
-        <div class="gl-font-sm gl-mt-2 gl-text-secondary">
-          {{ item.statusDescription }}
+        <div>
+          <div class="gl-display-flex gl-align-items-center gl-mb-2">
+            <gl-icon :name="item.statusIcon" class="gl-mr-2 gl-text-red-500" />
+            <span>{{ item.statusText }}</span>
+          </div>
+          <div class="gl-font-sm gl-text-secondary">
+            {{ item.statusDescription }}
+          </div>
         </div>
       </template>
 
@@ -232,32 +233,51 @@ export default {
       </template>
 
       <template #cell(actions)="{ item }">
-        <div class="gl-display-flex gl-gap-3">
+        <div class="gl-display-flex gl-align-items-center gl-gap-3">
+          <!-- Apply -->
           <gl-button
-            v-if="!item.isConfigured"
-            :disabled="busy"
+            v-if="item.showApplyButton"
             variant="confirm"
             category="secondary"
             size="small"
-            @click="attach(item)"
+            icon="check-circle"
+            :disabled="busy"
+            @click="handleApplyProfile(item)"
           >
-            <gl-loading-icon v-if="busy" inline class="gl-mr-2" />
             {{ __('Apply default profile') }}
           </gl-button>
 
+          <!-- Detach -->
           <gl-button
             v-else
-            :disabled="busy"
             variant="danger"
             category="secondary"
             size="small"
-            @click="detach(item)"
+            icon="close"
+            :disabled="busy"
+            @click="detachProfile(item)"
           >
-            <gl-loading-icon v-if="busy" inline class="gl-mr-2" />
-            {{ __('Detach profile') }}
+            {{ __('Detach') }}
           </gl-button>
+
+          <!-- Preview profile (eye icon) -->
+          <gl-button
+            category="secondary"
+            size="small"
+            icon="eye"
+            aria-label="Preview profile"
+            class="gl-ml-1"
+            @click="openProfile(item)"
+          />
         </div>
       </template>
     </gl-table>
+
+    <scanner-profile-modal
+      v-if="modalVisible"
+      :profile-id="modalProfileId"
+      :visible="modalVisible"
+      @close="modalVisible = false"
+    />
   </div>
 </template>
diff --git a/app/assets/javascripts/security_configuration/components/scan_profiles/scanner_profile_modal.vue b/app/assets/javascripts/security_configuration/components/scan_profiles/scanner_profile_modal.vue
new file mode 100644
index 00000000000000..27ed4952df4aca
--- /dev/null
+++ b/app/assets/javascripts/security_configuration/components/scan_profiles/scanner_profile_modal.vue
@@ -0,0 +1,78 @@
+<script>
+import { GlModal, GlBadge, GlIcon } from '@gitlab/ui';
+import { __, s__ } from '~/locale';
+import queryProfile from '../../graphql/scan_profiles/security_scan_profile.client.query.graphql';
+
+export default {
+  name: 'ScannerProfileModal',
+  props: {
+    profileId: {
+      type: String,
+      required: false,
+    },
+    visible: {
+      type: Boolean,
+      required: true,
+    },
+  },
+
+  components: {
+    GlModal,
+    GlBadge,
+    GlIcon,
+  },
+  data() {
+    return {
+      profile: {},
+    };
+  },
+  apollo: {
+    profile: {
+      query: queryProfile,
+      variables() {
+        return { id: this.profileId };
+      },
+      skip() {
+        return !this.profileId;
+      },
+    },
+  },
+
+  watch: {
+    visible(val) {
+      if (val && this.profileId) {
+        this.$apollo.queries.profile.refetch();
+      }
+    },
+  },
+
+  methods: {
+    close() {
+      this.$emit('close');
+    },
+  },
+};
+</script>
+
+<template>
+  <gl-modal :visible="visible" @close="close" size="lg">
+    <template #modal-title>
+      {{ profile?.name }}
+    </template>
+
+    <div class="gl-mb-4">
+      <div class="gl-font-weight-bold gl-mb-2">Description</div>
+      <div>{{ profile?.description }}</div>
+    </div>
+
+    <div class="gl-mb-4">
+      <div class="gl-font-weight-bold gl-mb-2">Analyzer type</div>
+      <div>{{ profile?.scanType }}</div>
+    </div>
+
+    <div class="gl-mb-4">
+      <div class="gl-font-weight-bold gl-mb-2">Triggers</div>
+      <div v-for="t in profile?.triggers || []" :key="t.type">• {{ t.description }}</div>
+    </div>
+  </gl-modal>
+</template>
diff --git a/app/assets/javascripts/security_configuration/components/scan_profiles/scanner_row.vue b/app/assets/javascripts/security_configuration/components/scan_profiles/scanner_row.vue
new file mode 100644
index 00000000000000..7541fbd19e011d
--- /dev/null
+++ b/app/assets/javascripts/security_configuration/components/scan_profiles/scanner_row.vue
@@ -0,0 +1,88 @@
+<script>
+import { GlButton, GlIcon, GlBadge, GlLoadingIcon } from '@gitlab/ui';
+
+export default {
+  name: 'ScannerRow',
+  props: {
+    item: { type: Object, required: true },
+    busy: { type: Boolean, required: true },
+  },
+
+  components: {
+    GlButton,
+    GlIcon,
+    GlBadge,
+    GlLoadingIcon,
+  },
+
+  emits: ['attach', 'detach', 'viewProfile'],
+
+  methods: {
+    onAttach() {
+      this.$emit('attach', this.item);
+    },
+    onDetach() {
+      this.$emit('detach', this.item);
+    },
+    onView() {
+      this.$emit('viewProfile', this.item.attachedProfileId);
+    },
+  },
+};
+</script>
+
+<template>
+  <tr>
+    <td>
+      <div class="gl-display-flex gl-align-items-center">
+        <div class="gl-border gl-mr-3 gl-rounded-base gl-p-2" style="width: 32px; height: 32px">
+          {{ item.scannerCode }}
+        </div>
+        <strong>{{ item.scannerName }}</strong>
+        <gl-icon v-gl-tooltip name="information-o" class="gl-ml-2" :title="item.scannerTooltip" />
+      </div>
+    </td>
+
+    <td>
+      <span>{{ item.profileLabel }}</span>
+      <gl-icon
+        v-if="item.isConfigured"
+        name="eye"
+        class="gl-ml-2 gl-cursor-pointer"
+        @click="onView"
+      />
+    </td>
+
+    <td>
+      <gl-badge :variant="item.statusVariant">{{ item.statusText }}</gl-badge>
+    </td>
+
+    <td>{{ item.lastScan }}</td>
+
+    <td>
+      <gl-button
+        v-if="!item.isConfigured"
+        variant="confirm"
+        category="secondary"
+        size="small"
+        :disabled="busy"
+        @click="onAttach"
+      >
+        <gl-loading-icon v-if="busy" inline class="gl-mr-2" />
+        Apply default profile
+      </gl-button>
+
+      <gl-button
+        v-else
+        variant="danger"
+        category="secondary"
+        size="small"
+        :disabled="busy"
+        @click="onDetach"
+      >
+        <gl-loading-icon v-if="busy" inline class="gl-mr-2" />
+        Detach
+      </gl-button>
+    </td>
+  </tr>
+</template>
diff --git a/app/assets/javascripts/security_configuration/graphql/scan_profiles/resolvers.js b/app/assets/javascripts/security_configuration/graphql/scan_profiles/resolvers.js
index e5134b40a74671..09ef3a4ef1f633 100644
--- a/app/assets/javascripts/security_configuration/graphql/scan_profiles/resolvers.js
+++ b/app/assets/javascripts/security_configuration/graphql/scan_profiles/resolvers.js
@@ -1,62 +1,148 @@
-// resolvers.js
+const mockDB = {
+  groups: {}, // groupPath → available profiles
+  projects: {}, // projectPath → attached profiles
+  profileStore: {}, // profileId → profile data
+};
+
+/**
+ * Utility: build default template profile
+ */
+function buildTemplateProfile(scanType) {
+  if (scanType === 'SECRET_DETECTION') {
+    return {
+      id: 'gid://gitlab/Security::ScanProfile/secret_detection',
+      name: 'Secret Push Protection (default)',
+      description:
+        'GitLab recommended baseline protection using industry standard detection rules.',
+      scanType: 'SECRET_DETECTION',
+      gitlabRecommended: true,
+      triggers: [
+        {
+          type: 'default',
+          description: 'Runs on push events',
+        },
+      ],
+      projects: [],
+      __typename: 'ScanProfileType',
+    };
+  }
+
+  return null;
+}
 
-import { InMemoryCache } from '@apollo/client/core';
+/**
+ * Utility: ensure a group has an available profiles list
+ */
+function ensureGroup(groupPath) {
+  if (!mockDB.groups[groupPath]) {
+    mockDB.groups[groupPath] = {
+      available: [buildTemplateProfile('SECRET_DETECTION')],
+    };
+  }
+  return mockDB.groups[groupPath];
+}
 
-const mockAttachedByProject = {};
-// Example structure:
-// { "gid://gitlab/Project/19": ["gid://gitlab/Security::ScanProfile/1"] }
+/**
+ * Utility: ensure a project entry exists
+ */
+function ensureProject(projectPath) {
+  if (!mockDB.projects[projectPath]) {
+    mockDB.projects[projectPath] = {
+      attached: [], // list of profile IDs
+    };
+  }
+  return mockDB.projects[projectPath];
+}
 
 export default {
   Query: {
-    securityScanProfile(_, { id }, { cache }) {
-      // Virtual object for now.
-      // Backend will replace this once merged.
+    /**
+     * Returns the list of available scan profiles for a group.
+     */
+    group(_, { fullPath }) {
+      const group = ensureGroup(fullPath);
+      return {
+        id: `gid://gitlab/Group/${fullPath}`,
+        name: fullPath,
+        availableSecurityScanProfiles: group.available,
+        __typename: 'Group',
+      };
+    },
+
+    /**
+     * Returns the list of attached profiles for a project.
+     */
+    project(_, { fullPath }) {
+      const project = ensureProject(fullPath);
+
+      const profiles = project.attached.map((id) => mockDB.profileStore[id]).filter(Boolean);
+
       return {
-        id,
-        name: 'Secret Push Protection (default)',
-        description:
-          'Mock profile until backend merge. Provides secret detection using baseline rules.',
-        scanType: 'SECRET_DETECTION',
-        gitlabRecommended: true,
-        __typename: 'ScanProfileType',
+        id: `gid://gitlab/Project/${fullPath}`,
+        fullPath,
+        name: fullPath,
+        securityScanProfiles: profiles,
+        __typename: 'Project',
       };
     },
+
+    /**
+     * Resolve a profile by ID
+     */
+    securityScanProfile(_, { id }) {
+      return mockDB.profileStore[id] || buildTemplateProfile('SECRET_DETECTION');
+    },
   },
 
   Mutation: {
-    securityScanProfileAttach(_, { input }, { cache }) {
-      const { securityScanProfileId, projectIds = [] } = input;
+    /**
+     * Attach profile to a list of projects
+     */
+    securityScanProfileAttach(_, { input }) {
+      const { projectIds = [], securityScanProfileId } = input;
 
-      projectIds.forEach((projectId) => {
-        if (!mockAttachedByProject[projectId]) {
-          mockAttachedByProject[projectId] = [];
-        }
-        if (!mockAttachedByProject[projectId].includes(securityScanProfileId)) {
-          mockAttachedByProject[projectId].push(securityScanProfileId);
+      // Ensure profile exists in store, otherwise clone the default template
+      if (!mockDB.profileStore[securityScanProfileId]) {
+        const crafted = {
+          ...buildTemplateProfile('SECRET_DETECTION'),
+          id: `gid://gitlab/Security::ScanProfile/${Math.floor(Math.random() * 99999)}`,
+          gitlabRecommended: true,
+        };
+        mockDB.profileStore[crafted.id] = crafted;
+      }
+
+      const profile =
+        mockDB.profileStore[securityScanProfileId] ||
+        mockDB.profileStore[Object.keys(mockDB.profileStore)[0]];
+
+      projectIds.forEach((pid) => {
+        const project = ensureProject(pid);
+        if (!project.attached.includes(profile.id)) {
+          project.attached.push(profile.id);
         }
       });
 
       return {
-        clientMutationId: input.clientMutationId || null,
         errors: [],
+        clientMutationId: input.clientMutationId || null,
         __typename: 'SecurityScanProfileAttachPayload',
       };
     },
 
-    securityScanProfileDetach(_, { input }, { cache }) {
-      const { securityScanProfileId, projectIds = [] } = input;
+    /**
+     * Detach profile from projects
+     */
+    securityScanProfileDetach(_, { input }) {
+      const { projectIds = [], securityScanProfileId } = input;
 
-      projectIds.forEach((projectId) => {
-        if (mockAttachedByProject[projectId]) {
-          mockAttachedByProject[projectId] = mockAttachedByProject[projectId].filter(
-            (id) => id !== securityScanProfileId,
-          );
-        }
+      projectIds.forEach((pid) => {
+        const project = ensureProject(pid);
+        project.attached = project.attached.filter((id) => id !== securityScanProfileId);
       });
 
       return {
-        clientMutationId: input.clientMutationId || null,
         errors: [],
+        clientMutationId: input.clientMutationId || null,
         __typename: 'SecurityScanProfileDetachPayload',
       };
     },
-- 
GitLab