 GitLab provides scan result policies, enabling security teams a way to enforce separation of duties and ensure that vulnerable code is reviewed before it makes it into production. A scan result policy can be set to require approval based on the findings of one or more security scans jobs. Scan result policies are evaluated after security scans have completed. Now, let's create a scan result policy. We go to the security and compliance tab and click on policies. From here, we'll click on a new policy. Within the dropdown of policy type, we'll go ahead and select the scan result. Here we see YAML mode, which allows us to create a policy using a YAML. However, we're going to go ahead and go to rule mode, which provides a web UI, which makes it easier to create a policy. We'll provide the policy with a name as well as a description. Here I am creating a policy, which will require approval if any severity of SAST vulnerabilities is detected within the main branch. I'm going to go ahead and check the policy status to on, meaning that it will be active in our project and in the rules, I am going to select SAST as the scanner. So if a SAST scan in an open merge request targeting the main branch finds one or more vulnerabilities of any type that are newly detected, then we're going to go ahead and require approval. Here we can add who we require approval from. I'm going to go ahead and put Sam White as an approver, and I'm also going to add a group. I'm going to pick the analysis backend team. We'll require an approval either from Sam White or any member from the group if any SAST vulnerability is detected. We can see how the YAML was configured via the UI and I'll click on create merge request. And you'll see that a new merge request has been created in a new project. This new project is created to ensure separation of duties because it provides different access levels than the original project. Now, I'll go ahead and merge this. When going back to our project, we can go ahead and go back to policies. And when we click on edit project policy, we'll see that the policies are being grabbed from the newly created security policy project. Now, let's see this in action. I'm going to go to my merge requests and here is a merge request I have created to add a new file with global permissions which presents a vulnerability. You can see here one approval from the SAST approval policy is required to merge the code. And there is Sam White as well as members of the composition analysis team. Approval is required because SAST vulnerabilities were detected. Security approvals enable separation of duties and add additional security controls to ensure insecure code does not make it into production.