Show on group security dashboard when security tests are not configured

Problem to solve

GitLab Auto DevOps runs SAST/DAST/Dependency scanning/Container scanning by default. We won't force people to run it, but organizations want to ensure that everything they deployed is tested. The security dashboard should show untested applications. (original problem statement from https://gitlab.com/gitlab-org/gitlab-ee/issues/7521)

It's unclear in the security dashboard what projects in the group have or have not been tested and when.

Intended users

• Delaney (development team lead)
• Sam (security analyst)

Further details

• Untested: no security tools at all have been configured. If 1 or more security tools have been configured then the project would be considered tested.

• Out-of-date: if any of the security tools that have been already been run are more than the threshold, they would be considered out of date.

• Security tests: SAST, DAST, container scanning, and dependency scanning (not license compliance)

Proposal

Based on discovery work done in https://gitlab.com/gitlab-org/gitlab-ee/issues/7521#note_195264318:

🎥 view walkthrough

i layout	ii aside, general	iii aside, overflow/hover
"Project scanning" aside in layout - current work on https://gitlab.com/gitlab-org/gitlab-ee/issues/12846 (layout update) and https://gitlab.com/gitlab-org/gitlab-ee/issues/11190 (adding aside)	"Tested" items are projects that are configured for testing (1 or more scans). Displayed as: Within last 5 days; if more, shown by "5/15/30/60 or more days". Warning message appears if some projects haven't tested for 5 or more day The aside is a fixed height container, with the data in overflow for scroll when needed. ? links to documentation.	Projects in the Untested tab link to the project's configuration page, and the projects in the tested tab link to the project's pipelines page. The different day ranges are prioritized by "60 days or more" (greatest to least days since testing 60/30/15/5 and within 6 days); if a range doesn't contain any projects: it doesn't show in the UI.

In the case no results are found that meets the criteria: Untested: "No projects found without security scans. Nice job!" and Tested: No projects found with security scans

Permissions and Security

TBD

Documentation

TBD

Testing

TBD

What does success look like, and how can we measure that?

• User awareness of untested projects and/or projects that are out of date
• User better understands the source of information displayed in the chart and table
• Validate in think-aloud testing or other ux-research#240 (closed)

What is the type of buyer?

GitLab Ultimate

Links / references

• design specs
• @avielle / @kmann worked on discovery: https://gitlab.com/gitlab-org/gitlab-ee/issues/7521

Technical Details

Endpoint response format (with project attributes abbreviated):

[
  {
    id: 1,
    ...
    security_tests_unconfigured: true/false,
    security_tests_last_successful_run: "2019-05-11T22:00:36.162Z"
  },
  ...
]

• Responds with all projects in the group that have no configured scans or any configured scan is out of date
• A scan is "unconfigured" if the latest pipeline on the default branch does not include that scan. This means the scan could have been configured, but if a pipeline has not been run on the default branch with that configuration it will still show up here.
• A scan is "out of date" if the last successful job with that scan was more than 5 days ago.

Development plan

Only unconfigured projects will be included in the first iteration. #36687 will add projects with an out of date latest pipeline to the widget. #36689 will add projects where the security jobs have been failing for 5 or more days to the out of date tab.