From 2bb3727d99227eba97cb47130a6497bcb0570ec7 Mon Sep 17 00:00:00 2001
From: Artur Fedorov <afedorov@gitlab.com>
Date: Sat, 13 Dec 2025 00:09:15 +0100
Subject: [PATCH 1/4] initial

---
 .../scan_result/rule/rule_section.vue         |  14 +-
 .../rule/security_scan_rule_builder_v2.vue    | 158 ++++++++++++++++++
 2 files changed, 171 insertions(+), 1 deletion(-)
 create mode 100644 ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/rule/security_scan_rule_builder_v2.vue

diff --git a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/rule/rule_section.vue b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/rule/rule_section.vue
index 5af738704260a3..1351e5d3580543 100644
--- a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/rule/rule_section.vue
+++ b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/rule/rule_section.vue
@@ -1,9 +1,11 @@
 <script>
 import { GlButton, GlAlert, GlSprintf } from '@gitlab/ui';
+import glFeatureFlagsMixin from '~/vue_shared/mixins/gl_feature_flags_mixin';
 import { ANY_MERGE_REQUEST, SCAN_FINDING, LICENSE_FINDING } from '../lib';
 import { RULE_OR_LABEL } from '../../constants';
 import AnyMergeRequestRuleBuilder from './any_merge_request_rule_builder.vue';
 import SecurityScanRuleBuilder from './security_scan_rule_builder.vue';
+import SecurityScanRuleBuilderV2 from './security_scan_rule_builder_v2.vue';
 import LicenseScanRuleBuilder from './license_scan_rule_builder.vue';
 import DefaultRuleBuilder from './default_rule_builder.vue';
 
@@ -16,8 +18,10 @@ export default {
     DefaultRuleBuilder,
     AnyMergeRequestRuleBuilder,
     SecurityScanRuleBuilder,
+    SecurityScanRuleBuilderV2,
     LicenseScanRuleBuilder,
   },
+  mixins: [glFeatureFlagsMixin()],
   props: {
     disabledRuleTypes: {
       type: Array,
@@ -61,6 +65,9 @@ export default {
     };
   },
   computed: {
+    hasKevFilterEnabled() {
+      return this.glFeatures.securityPoliciesKevFilter;
+    },
     isAnyMergeRequestRule() {
       return this.initRule.type === ANY_MERGE_REQUEST;
     },
@@ -139,7 +146,7 @@ export default {
         />
 
         <security-scan-rule-builder
-          v-else-if="isSecurityRule"
+          v-else-if="isSecurityRule && !hasKevFilterEnabled"
           :disabled-rule-types="disabledRuleTypes"
           :init-rule="initRule"
           @error="handleError"
@@ -148,6 +155,11 @@ export default {
           @set-scan-type="setScanType"
         />
 
+        <security-scan-rule-builder-v2
+          v-else-if="isSecurityRule && hasKevFilterEnabled"
+          :init-rule="initRule"
+        />
+
         <license-scan-rule-builder
           v-else-if="isLicenseRule"
           :disabled-rule-types="disabledRuleTypes"
diff --git a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/rule/security_scan_rule_builder_v2.vue b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/rule/security_scan_rule_builder_v2.vue
new file mode 100644
index 00000000000000..20121bab5f2e72
--- /dev/null
+++ b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/rule/security_scan_rule_builder_v2.vue
@@ -0,0 +1,158 @@
+<script>
+import { GlSprintf } from '@gitlab/ui';
+import { s__ } from '~/locale';
+import { REPORT_TYPES_DEFAULT } from 'ee/security_dashboard/constants';
+import {
+  ANY_OPERATOR,
+  GREATER_THAN_OPERATOR,
+  BRANCH_EXCEPTIONS_KEY,
+  SCAN_RESULT_BRANCH_TYPE_OPTIONS,
+  VULNERABILITIES_ALLOWED_OPERATORS,
+} from 'ee/security_orchestration/components/policy_editor/constants';
+import BranchSelection from 'ee/security_orchestration/components/policy_editor/branch_selection.vue';
+import BranchExceptionSelector from 'ee/security_orchestration/components/policy_editor/branch_exception_selector.vue';
+import SectionLayout from 'ee/security_orchestration/components/policy_editor/section_layout.vue';
+import RuleMultiSelect from 'ee/security_orchestration/components/policy_editor/rule_multi_select.vue';
+import { enforceIntValue } from 'ee/security_orchestration/components/policy_editor/utils';
+import { getDefaultRule } from '../lib';
+import ScanTypeSelect from './scan_type_select.vue';
+import NumberRangeSelect from './number_range_select.vue';
+
+export default {
+  REPORT_TYPES_DEFAULT,
+  REPORT_TYPES_DEFAULT_KEYS: Object.keys(REPORT_TYPES_DEFAULT),
+  VULNERABILITIES_ALLOWED_OPERATORS,
+  i18n: {
+    scanners: s__('ScanResultPolicy|scanners'),
+    scanResultRuleCopy: s__(
+      'ScanResultPolicy|When a %{scanType} with %{scanners} runs against %{branches} %{branchExceptions} and finds %{vulnerabilitiesNumber} %{boldDescription} all the following criteria:',
+    ),
+    vulnerabilitiesAllowed: s__('ScanResultPolicy|vulnerabilities allowed'),
+    vulnerabilityMatchDescription: s__('ScanResultPolicy|vulnerability type that matches'),
+  },
+  name: 'SecurityScanRuleBuilder',
+  components: {
+    NumberRangeSelect,
+    BranchExceptionSelector,
+    BranchSelection,
+    GlSprintf,
+    RuleMultiSelect,
+    ScanTypeSelect,
+    SectionLayout,
+  },
+  inject: ['namespaceType'],
+  props: {
+    initRule: {
+      type: Object,
+      required: true,
+    },
+  },
+  emits: ['set-scan-type', 'changed', 'error'],
+  computed: {
+    branchExceptions() {
+      return this.initRule.branch_exceptions;
+    },
+    branchTypes() {
+      return SCAN_RESULT_BRANCH_TYPE_OPTIONS(this.namespaceType);
+    },
+    scanners() {
+      return this.initRule.scanners.length === 0
+        ? this.$options.REPORT_TYPES_DEFAULT_KEYS
+        : this.initRule.scanners;
+    },
+    selectedVulnerabilitiesOperator() {
+      return this.vulnerabilitiesAllowed === 0 ? ANY_OPERATOR : GREATER_THAN_OPERATOR;
+    },
+    vulnerabilitiesAllowed() {
+      return enforceIntValue(this.initRule.vulnerabilities_allowed);
+    },
+  },
+  methods: {
+    handleVulnerabilitiesAllowedOperatorChange(value) {
+      if (value === ANY_OPERATOR) {
+        this.setVulnerabilitiesAllowed(0);
+      }
+    },
+    setVulnerabilitiesAllowed(value) {
+      this.triggerChanged({ vulnerabilities_allowed: value });
+    },
+    setScanType(value) {
+      const rule = getDefaultRule(value);
+      this.$emit('set-scan-type', rule);
+    },
+    setBranchType(value) {
+      this.$emit('changed', value);
+    },
+    triggerChanged(value) {
+      this.$emit('changed', { ...this.initRule, ...value });
+    },
+    removeExceptions() {
+      const rule = { ...this.initRule };
+      if (BRANCH_EXCEPTIONS_KEY in rule) {
+        delete rule[BRANCH_EXCEPTIONS_KEY];
+      }
+
+      this.$emit('changed', rule);
+    },
+  },
+};
+</script>
+
+<template>
+  <section-layout class="gl-pr-0" :show-remove-button="false" @changed="$emit('changed', $event)">
+    <template #content>
+      <section-layout class="!gl-bg-default" :show-remove-button="false">
+        <template #content>
+          <gl-sprintf :message="$options.i18n.scanResultRuleCopy">
+            <template #scanType>
+              <scan-type-select :scan-type="initRule.type" @select="setScanType" />
+            </template>
+
+            <template #scanners>
+              <rule-multi-select
+                :value="scanners"
+                class="!gl-inline gl-align-middle"
+                :item-type-name="$options.i18n.scanners"
+                :items="$options.REPORT_TYPES_DEFAULT"
+                data-testid="scanners-select"
+                @error="$emit('error', $event)"
+              />
+            </template>
+
+            <template #branches>
+              <branch-selection
+                :init-rule="initRule"
+                :branch-types="branchTypes"
+                @changed="triggerChanged($event)"
+                @set-branch-type="setBranchType"
+              />
+            </template>
+
+            <template #branchExceptions>
+              <branch-exception-selector
+                :selected-exceptions="branchExceptions"
+                @remove="removeExceptions"
+                @select="triggerChanged"
+              />
+            </template>
+
+            <template #vulnerabilitiesNumber>
+              <number-range-select
+                id="vulnerabilities-allowed"
+                :value="vulnerabilitiesAllowed"
+                :label="$options.i18n.vulnerabilitiesAllowed"
+                :selected="selectedVulnerabilitiesOperator"
+                :operators="$options.VULNERABILITIES_ALLOWED_OPERATORS"
+                @operator-change="handleVulnerabilitiesAllowedOperatorChange"
+              />
+            </template>
+
+            <template #boldDescription>
+              <b>{{ $options.i18n.vulnerabilityMatchDescription }}</b>
+            </template>
+          </gl-sprintf>
+        </template>
+      </section-layout>
+    </template>
+  </section-layout>
+</template>
-- 
GitLab


From 36260c2444e9124373b3fcd5c66f5c381c7aa5a0 Mon Sep 17 00:00:00 2001
From: Artur Fedorov <afedorov@gitlab.com>
Date: Mon, 15 Dec 2025 00:14:59 +0100
Subject: [PATCH 2/4] coom

---
 .../rule/scanners/global_settings.vue         | 26 +++++++++++++++++++
 .../rule/security_scan_rule_builder_v2.vue    | 10 +++++--
 locale/gitlab.pot                             |  6 +++++
 3 files changed, 40 insertions(+), 2 deletions(-)
 create mode 100644 ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/rule/scanners/global_settings.vue

diff --git a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/rule/scanners/global_settings.vue b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/rule/scanners/global_settings.vue
new file mode 100644
index 00000000000000..0f53f06fee7a65
--- /dev/null
+++ b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/rule/scanners/global_settings.vue
@@ -0,0 +1,26 @@
+<script>
+import { s__ } from '~/locale';
+import SectionLayout from 'ee/security_orchestration/components/policy_editor/section_layout.vue';
+
+export default {
+  i18n: {
+    title: s__('ScanResultPolicy|Global Settings'),
+    description: s__('ScanResultPolicy|Severity and status settings will apply to all scan rules'),
+  },
+  name: 'GlobalSettings',
+  components: {
+    SectionLayout,
+  },
+};
+</script>
+
+<template>
+  <section-layout class="gl-w-full" :show-remove-button="false">
+    <template #content>
+      <div class="">
+        <h5 class="gl-mb-2">{{ $options.i18n.title }}</h5>
+        <p class="gl-mb-0">{{ $options.i18n.description }}</p>
+      </div>
+    </template>
+  </section-layout>
+</template>
diff --git a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/rule/security_scan_rule_builder_v2.vue b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/rule/security_scan_rule_builder_v2.vue
index 20121bab5f2e72..1a72ab590c6223 100644
--- a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/rule/security_scan_rule_builder_v2.vue
+++ b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/rule/security_scan_rule_builder_v2.vue
@@ -17,6 +17,7 @@ import { enforceIntValue } from 'ee/security_orchestration/components/policy_edi
 import { getDefaultRule } from '../lib';
 import ScanTypeSelect from './scan_type_select.vue';
 import NumberRangeSelect from './number_range_select.vue';
+import GlobalSettings from './scanners/global_settings.vue';
 
 export default {
   REPORT_TYPES_DEFAULT,
@@ -35,6 +36,7 @@ export default {
     NumberRangeSelect,
     BranchExceptionSelector,
     BranchSelection,
+    GlobalSettings,
     GlSprintf,
     RuleMultiSelect,
     ScanTypeSelect,
@@ -68,7 +70,7 @@ export default {
     },
   },
   methods: {
-    handleVulnerabilitiesAllowedOperatorChange(value) {
+    handleVulnerabilitiesOperatorChange(value) {
       if (value === ANY_OPERATOR) {
         this.setVulnerabilitiesAllowed(0);
       }
@@ -143,7 +145,7 @@ export default {
                 :label="$options.i18n.vulnerabilitiesAllowed"
                 :selected="selectedVulnerabilitiesOperator"
                 :operators="$options.VULNERABILITIES_ALLOWED_OPERATORS"
-                @operator-change="handleVulnerabilitiesAllowedOperatorChange"
+                @operator-change="handleVulnerabilitiesOperatorChange"
               />
             </template>
 
@@ -153,6 +155,10 @@ export default {
           </gl-sprintf>
         </template>
       </section-layout>
+
+      <div class="gl-w-full gl-rounded-base gl-bg-white gl-p-4">
+        <global-settings />
+      </div>
     </template>
   </section-layout>
 </template>
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 0d544087a61cd1..585d35e31fe056 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -58744,6 +58744,9 @@ msgstr ""
 msgid "ScanResultPolicy|For scanners that require builds, when a project does not have a build pipeline."
 msgstr ""
 
+msgid "ScanResultPolicy|Global Settings"
+msgstr ""
+
 msgid "ScanResultPolicy|Grant bypass permissions to users based on their organizational role or custom role assignments."
 msgstr ""
 
@@ -58981,6 +58984,9 @@ msgstr ""
 msgid "ScanResultPolicy|Service accounts"
 msgstr ""
 
+msgid "ScanResultPolicy|Severity and status settings will apply to all scan rules"
+msgstr ""
+
 msgid "ScanResultPolicy|Severity is:"
 msgstr ""
 
-- 
GitLab


From d0956df01abe548f035a09bf3e290e59330eb4ee Mon Sep 17 00:00:00 2001
From: Artur Fedorov <afedorov@gitlab.com>
Date: Mon, 15 Dec 2025 19:21:04 +0100
Subject: [PATCH 3/4] initial

---
 .../rule/scanners/global_settings.vue         | 195 +++++++++++++++++-
 .../scan_result/rule/scanners/utils.js        |  59 ++++++
 .../rule/security_scan_rule_builder_v2.vue    |  11 +-
 locale/gitlab.pot                             |   3 +
 4 files changed, 257 insertions(+), 11 deletions(-)
 create mode 100644 ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/rule/scanners/utils.js

diff --git a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/rule/scanners/global_settings.vue b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/rule/scanners/global_settings.vue
index 0f53f06fee7a65..bdf20f4a4a9661 100644
--- a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/rule/scanners/global_settings.vue
+++ b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/rule/scanners/global_settings.vue
@@ -1,15 +1,169 @@
 <script>
 import { s__ } from '~/locale';
+import AttributeFilters from 'ee/security_orchestration/components/policy_editor/scan_result/rule/scan_filters/attribute_filters.vue';
+import ScanFilterSelector from 'ee/security_orchestration/components/policy_editor/scan_filter_selector.vue';
 import SectionLayout from 'ee/security_orchestration/components/policy_editor/section_layout.vue';
+import SeverityFilter from 'ee/security_orchestration/components/policy_editor/scan_result/rule/scan_filters/severity_filter.vue';
+import StatusFilters from 'ee/security_orchestration/components/policy_editor/scan_result/rule/scan_filters/status_filters.vue';
+import { SEVERITY_LEVELS } from 'ee/security_dashboard/constants';
+import {
+  AGE,
+  ATTRIBUTE,
+  FILTERS,
+  NEWLY_DETECTED,
+  PREVIOUSLY_EXISTING,
+  FIX_AVAILABLE,
+  FALSE_POSITIVE,
+  STATUS,
+} from 'ee/security_orchestration/components/policy_editor/scan_result/rule/scan_filters/constants';
+import {
+  buildFiltersFromRule,
+  groupVulnerabilityStatesWithDefaults,
+} from 'ee/security_orchestration/components/policy_editor/scan_result/lib';
+import { normalizeVulnerabilityStates, getAgeTooltip } from './utils';
 
 export default {
+  FILTERS,
   i18n: {
     title: s__('ScanResultPolicy|Global Settings'),
     description: s__('ScanResultPolicy|Severity and status settings will apply to all scan rules'),
   },
   name: 'GlobalSettings',
   components: {
+    AttributeFilters,
+    ScanFilterSelector,
     SectionLayout,
+    SeverityFilter,
+    StatusFilters,
+  },
+  props: {
+    initRule: {
+      type: Object,
+      required: true,
+    },
+  },
+  data() {
+    return {
+      // filters: buildFiltersFromRule(this.initRule),
+    };
+  },
+  computed: {
+    filters() {
+      return buildFiltersFromRule(this.initRule);
+    },
+    isAttributeFilterSelected() {
+      return this.isFilterSelected(FIX_AVAILABLE) || this.isFilterSelected(FALSE_POSITIVE);
+    },
+    isStatusFilterSelected() {
+      return this.isFilterSelected(NEWLY_DETECTED) || this.isFilterSelected(PREVIOUSLY_EXISTING);
+    },
+    severityLevels() {
+      const { severity_levels: severityLevels = [] } = this.initRule;
+
+      if (!Array.isArray(severityLevels)) {
+        return [];
+      }
+
+      return severityLevels.length === 0 ? Object.keys(SEVERITY_LEVELS) : severityLevels;
+    },
+    vulnerabilityAttributes() {
+      return this.initRule?.vulnerability_attributes || {};
+    },
+    vulnerabilityStates() {
+      const vulnerabilityStateGroups = groupVulnerabilityStatesWithDefaults(
+        this.initRule.vulnerability_states,
+      );
+      return {
+        [PREVIOUSLY_EXISTING]: vulnerabilityStateGroups[PREVIOUSLY_EXISTING],
+        [NEWLY_DETECTED]: vulnerabilityStateGroups[NEWLY_DETECTED],
+      };
+    },
+  },
+  methods: {
+    customFilterSelectorTooltip(filter) {
+      return filter.value === AGE ? getAgeTooltip(filter, this.vulnerabilityStates) : '';
+    },
+    isFilterSelected(filter) {
+      return !!this.filters[filter];
+    },
+    changeStatusGroup(states) {
+      this.triggerChanged({
+        vulnerability_states: states,
+      });
+    },
+    removeStatusFilter(filter) {
+      this.triggerChanged({
+        vulnerability_states: {
+          ...this.vulnerabilityStates,
+          [filter]: null,
+        },
+      });
+    },
+    removeAttributesFilter(attribute) {
+      const { [attribute]: deletedAttribute, ...otherAttributes } = this.vulnerabilityAttributes;
+      this.triggerChanged({ vulnerability_states: otherAttributes });
+    },
+    removeFilterFromRule(filter) {
+      const { [filter]: deletedFilter, ...otherFilters } = this.initRule;
+      this.$emit('changed', otherFilters);
+    },
+    setVulnerabilityStates(vulnerabilityStates) {
+      this.triggerChanged({
+        vulnerability_states: normalizeVulnerabilityStates(vulnerabilityStates),
+      });
+    },
+    setVulnerabilityAttributes(attributes) {
+      if (!Object.keys(attributes).length) {
+        this.removeFilterFromRule('vulnerability_attributes');
+        return;
+      }
+
+      this.triggerChanged({
+        vulnerability_attributes: attributes,
+      });
+    },
+    shouldDisableFilterSelector(filter) {
+      if (filter !== AGE) {
+        return false;
+      }
+
+      return !this.vulnerabilityStates[PREVIOUSLY_EXISTING]?.length;
+    },
+    triggerChanged(value) {
+      this.$emit('changed', { ...this.initRule, ...value });
+    },
+    selectFilter(filter) {
+      if (filter === STATUS) {
+        const key = this.filters[NEWLY_DETECTED] ? PREVIOUSLY_EXISTING : NEWLY_DETECTED;
+
+        this.triggerChanged({
+          vulnerability_states: {
+            ...this.vulnerabilityStates,
+            [key]: true,
+          },
+        });
+        return;
+      }
+
+      if (filter === ATTRIBUTE) {
+        const key =
+          Object.keys(this.vulnerabilityAttributes)[0] === FIX_AVAILABLE
+            ? FALSE_POSITIVE
+            : FIX_AVAILABLE;
+
+        this.triggerChanged({
+          vulnerability_attributes: {
+            ...this.vulnerabilityAttributes,
+            [key]: true,
+          },
+        });
+        return;
+      }
+
+      this.triggerChanged({
+        [filter]: [],
+      });
+    },
   },
 };
 </script>
@@ -17,9 +171,44 @@ export default {
 <template>
   <section-layout class="gl-w-full" :show-remove-button="false">
     <template #content>
-      <div class="">
-        <h5 class="gl-mb-2">{{ $options.i18n.title }}</h5>
-        <p class="gl-mb-0">{{ $options.i18n.description }}</p>
+      <div class="gl-w-full">
+        <div>
+          <h5 class="gl-mb-2">{{ $options.i18n.title }}</h5>
+          <p class="gl-mb-0">{{ $options.i18n.description }}</p>
+        </div>
+
+        <div class="gl-mt-4">
+          <severity-filter class="!gl-bg-default" :selected="severityLevels" />
+        </div>
+
+        <div v-if="isStatusFilterSelected" class="gl-mt-4">
+          <status-filters
+            :filters="filters"
+            :selected="vulnerabilityStates"
+            @remove="removeStatusFilter"
+            @change-status-group="changeStatusGroup"
+            @input="setVulnerabilityStates"
+          />
+        </div>
+
+        <div v-if="isAttributeFilterSelected" class="gl-mt-4">
+          <attribute-filters
+            :selected="vulnerabilityAttributes"
+            @remove="removeAttributesFilter"
+            @input="setVulnerabilityAttributes"
+          />
+        </div>
+      </div>
+
+      <div class="gl-mt-2 gl-w-full">
+        <scan-filter-selector
+          class="gl-w-full !gl-bg-default"
+          :filters="$options.FILTERS"
+          :selected="filters"
+          :should-disable-filter="shouldDisableFilterSelector"
+          :custom-filter-tooltip="customFilterSelectorTooltip"
+          @select="selectFilter"
+        />
       </div>
     </template>
   </section-layout>
diff --git a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/rule/scanners/utils.js b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/rule/scanners/utils.js
new file mode 100644
index 00000000000000..1efb50f26b4cba
--- /dev/null
+++ b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/rule/scanners/utils.js
@@ -0,0 +1,59 @@
+// scanFiltersUtils.js
+import { xor } from 'lodash';
+import {
+  AGE_TOOLTIP_NO_PREVIOUSLY_EXISTING_VULNERABILITY,
+  AGE_TOOLTIP_MAXIMUM_REACHED,
+  DEFAULT_VULNERABILITY_STATES,
+  NEWLY_DETECTED,
+  PREVIOUSLY_EXISTING,
+  FIX_AVAILABLE,
+  FALSE_POSITIVE,
+  STATUS,
+  ATTRIBUTE,
+} from 'ee/security_orchestration/components/policy_editor/scan_result/rule/scan_filters/constants';
+
+export function normalizeVulnerabilityStates(vulnerabilityStates) {
+  const states = [
+    ...(vulnerabilityStates[NEWLY_DETECTED] || []),
+    ...(vulnerabilityStates[PREVIOUSLY_EXISTING] || []),
+  ];
+
+  if (!states.length) return null;
+
+  const matchesDefault = xor(states, DEFAULT_VULNERABILITY_STATES).length === 0;
+
+  return matchesDefault ? [] : states;
+}
+
+export function updateCombinedFilters(filters) {
+  return {
+    ...filters,
+    [STATUS]: Boolean(filters[NEWLY_DETECTED] && filters[PREVIOUSLY_EXISTING]),
+    [ATTRIBUTE]: Boolean(filters[FIX_AVAILABLE] && filters[FALSE_POSITIVE]),
+  };
+}
+
+export function toggleStatusFilter(filters) {
+  const nextKey = filters[NEWLY_DETECTED] ? PREVIOUSLY_EXISTING : NEWLY_DETECTED;
+
+  return updateCombinedFilters({
+    ...filters,
+    [nextKey]: true,
+  });
+}
+
+export function toggleAttributeFilter(attributes) {
+  const key = Object.keys(attributes)[0] === FIX_AVAILABLE ? FALSE_POSITIVE : FIX_AVAILABLE;
+
+  return {
+    ...attributes,
+    [key]: true,
+  };
+}
+
+export function getAgeTooltip(filter, vulnerabilityStates) {
+  if (!vulnerabilityStates[PREVIOUSLY_EXISTING]?.length) {
+    return filter.tooltip[AGE_TOOLTIP_NO_PREVIOUSLY_EXISTING_VULNERABILITY];
+  }
+  return filter.tooltip[AGE_TOOLTIP_MAXIMUM_REACHED];
+}
diff --git a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/rule/security_scan_rule_builder_v2.vue b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/rule/security_scan_rule_builder_v2.vue
index 1a72ab590c6223..fe3e5490408d4e 100644
--- a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/rule/security_scan_rule_builder_v2.vue
+++ b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/rule/security_scan_rule_builder_v2.vue
@@ -26,10 +26,9 @@ export default {
   i18n: {
     scanners: s__('ScanResultPolicy|scanners'),
     scanResultRuleCopy: s__(
-      'ScanResultPolicy|When a %{scanType} with %{scanners} runs against %{branches} %{branchExceptions} and finds %{vulnerabilitiesNumber} %{boldDescription} all the following criteria:',
+      'ScanResultPolicy|When a %{scanType} with %{scanners} runs against %{branches} %{branchExceptions} and finds %{vulnerabilitiesNumber} vulnerability type that matches all the following criteria:',
     ),
     vulnerabilitiesAllowed: s__('ScanResultPolicy|vulnerabilities allowed'),
-    vulnerabilityMatchDescription: s__('ScanResultPolicy|vulnerability type that matches'),
   },
   name: 'SecurityScanRuleBuilder',
   components: {
@@ -103,7 +102,7 @@ export default {
 <template>
   <section-layout class="gl-pr-0" :show-remove-button="false" @changed="$emit('changed', $event)">
     <template #content>
-      <section-layout class="!gl-bg-default" :show-remove-button="false">
+      <section-layout :show-remove-button="false">
         <template #content>
           <gl-sprintf :message="$options.i18n.scanResultRuleCopy">
             <template #scanType>
@@ -148,16 +147,12 @@ export default {
                 @operator-change="handleVulnerabilitiesOperatorChange"
               />
             </template>
-
-            <template #boldDescription>
-              <b>{{ $options.i18n.vulnerabilityMatchDescription }}</b>
-            </template>
           </gl-sprintf>
         </template>
       </section-layout>
 
       <div class="gl-w-full gl-rounded-base gl-bg-white gl-p-4">
-        <global-settings />
+        <global-settings :init-rule="initRule" />
       </div>
     </template>
   </section-layout>
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 585d35e31fe056..984fd2a1ca3334 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -59026,6 +59026,9 @@ msgstr ""
 msgid "ScanResultPolicy|When a %{scanType} with %{scanners} runs against %{branches} %{branchExceptions} and finds %{vulnerabilitiesNumber} %{boldDescription} all the following criteria:"
 msgstr ""
 
+msgid "ScanResultPolicy|When a %{scanType} with %{scanners} runs against %{branches} %{branchExceptions} and finds %{vulnerabilitiesNumber} vulnerability type that matches all the following criteria:"
+msgstr ""
+
 msgid "ScanResultPolicy|When a security policy fails for an unspecified reason."
 msgstr ""
 
-- 
GitLab


From e19831ce1fb4675f15e680cf6f86d3cd9e79d168 Mon Sep 17 00:00:00 2001
From: Artur Fedorov <afedorov@gitlab.com>
Date: Mon, 15 Dec 2025 19:24:40 +0100
Subject: [PATCH 4/4] initial

---
 .../scan_result/rule/scanners/global_settings.vue              | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/rule/scanners/global_settings.vue b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/rule/scanners/global_settings.vue
index bdf20f4a4a9661..7f4ce017aa084b 100644
--- a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/rule/scanners/global_settings.vue
+++ b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/rule/scanners/global_settings.vue
@@ -42,6 +42,7 @@ export default {
       required: true,
     },
   },
+  emits: ['changed'],
   data() {
     return {
       // filters: buildFiltersFromRule(this.initRule),
@@ -84,7 +85,7 @@ export default {
       return filter.value === AGE ? getAgeTooltip(filter, this.vulnerabilityStates) : '';
     },
     isFilterSelected(filter) {
-      return !!this.filters[filter];
+      return Boolean(this.filters[filter]);
     },
     changeStatusGroup(states) {
       this.triggerChanged({
-- 
GitLab