Add Advanced Vulnerability Tracking in SD docs

bbf1b34c · Vishwa Bhat · GitLab · 35a36c5a · bbf1b34c
--- a/doc/user/application_security/secret_detection/pipeline/index.md
+++ b/doc/user/application_security/secret_detection/pipeline/index.md
@@ -96,6 +96,26 @@ can take a long time, especially for larger repositories with lengthy Git histor
 completing an initial full history scan, use only standard Pipeline Secret Detection as part of your
 pipeline.
+## Advanced vulnerability tracking
+DETAILS:
+**Tier:** Ultimate
+**Offering:** GitLab.com, Self-managed, GitLab Dedicated
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/434096) in GitLab 17.0.
+When developers make changes to a file with identified secrets, it's likely that the positions of these secrets will also change. The Secret Detection analyzer may have already flagged these secrets as vulnerabilities, tracked in the [Vulnerability Report](../../vulnerability_report/index.md). These vulnerabilities are associated with specific secrets for easy identification and action. However, if the detected secrets aren't accurately tracked as they shift, managing vulnerabilities becomes challenging, potentially resulting in duplicate vulnerability reports.
+GitLab Secret Detection uses an advanced vulnerability tracking algorithm to more accurately identify when the same secret has moved within a file due to refactoring or unrelated changes.
+For more information, see the confidential project `https://gitlab.com/gitlab-org/security-products/post-analyzers/tracking-calculator`. The content of this project is available only to GitLab team members.
+### Unsupported workflows
+- The algorithm does not support the workflow where the existing finding lacks a tracking signature and does not share the same location as the newly detected finding.
+- For certain rule types like Cryptographic Keys, the Secret Detection identifies leaks by matching the prefix of the secret rather than the entire secret value. In this scenario, the algorithm consolidates different secrets of the same rule type in a file into a single finding, rather than treating each distinct secret as a separate finding. For example, the [SSH Private Key rule type](https://gitlab.com/gitlab-org/security-products/analyzers/secrets/-/blob/d2919f65f1d8001755015b5d790af620676b97ea/gitleaks.toml#L138) matches only the `-----BEGIN OPENSSH PRIVATE KEY-----` prefix of a value to confirm the presence of a SSH private key. If there are two distinct SSH Private Keys within the same file, the algorithm considers both values as identical and reports only one finding instead of two.
+- The algorithm's scope is limited to a per-file basis, meaning that the same secret appearing in two different files is treated as two distinct findings.
 ## Configuration
 ### Requirements