Security Dashboard and Auto DevOps compatibility issue
Description
With the release of the Group Security Dashboard in 11.5, we introduced the new concept of security jobs using the reports
syntax:
artifacts:
reports:
sast: gl-sast-report.json
The Group Security Dashboard requires this new syntax. It also requires GitLab Runner 11.5 or above.
The old syntax (based on generic artifacts) is still supported, but results will not be displayed in the dashboard. We deprecated the old syntax, and we adviced users to upgrade to the new definition if they meet requirements.
The problem comes with the Auto DevOps template, that cannot be manually updated by users because it is implicit.
With the current Auto DevOps syntax, SAST is executed but results are not available in the Group Security Dashboard. If we update Auto DevOps template with the new syntax, any customer with old versions of the runner will lose SAST entirely (so also MR widget).
We want to ensure Auto DevOps is working with the Group Security Dashboard out of the box.
Proposal
-
Mention in the release post for 11.5 that Auto DevOps is not supported for now -
Revert changes from previous proposal: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/23530 -
Directly ping Ultimate/Gold customers via TAM to manage the upgrade case by case: https://gitlab.slack.com/archives/C5D346V08/p1543918253007800 -
Publish a blog post to communicate that runners need to be upgraded to 11.5 before GitLab 11.6 is released: gitlab-com/www-gitlab-com#3456 (closed) -
Tweet about the post -
Warn Support about the topic -
Update Auto DevOps template to use the new syntax: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/23163 -
Create an exception request and get it approved: gitlab-org/release/tasks#593 (closed) -
Ship the change in 11.6 ( rc7
) -
Mention in the release post for 11.6 that Auto DevOps is now supported and runners must be upgraded: gitlab-com/www-gitlab-com!17025 (ccc0bf40)