We have more security features these days, but they're still oriented around developers. We should start thinking about what AppSec folks need. One of the the first things that comes to mind is a security dashboard, both at group and project level, to highlight current known security vulnerabilities, active work in progress resolving those vulnerabilities (whether automatic or manual), and information about how well the team is responding to security concerns.
- Show list of known vulnerabilities (from SAST and DAST scanning), sorted by severity, grouped by vuln text (so multiple vulnerabilities show up once, across multiple files or even multiple projects (when viewed at group level))
- Show related MRs
- Show percent of time SLAs for resolution are hit
- Link to SLA admin (which comes with reasonable defaults)