Split Dependency Scanning report from SAST report in CI View
In #4967 we decided to split our current SAST checks in two:
- "Real" SAST tools doing code analysis
- Dependency scanning tools, like Gemnasium
We want to differentiate these two items in our security reports. This requires to have separated reports for SAST and Dependency Scanning, so they can be easily managed in the same way they are managed now.
In order to achieve this result, we need to:
- split the actual SAST report in two different artifacts, one for SAST and one for Dependency Scanning
- add a new section in the existing CI View (just below the SAST report), exactly the same we already have for SAST, but with a different copy (Dependency Scanning instead of SAST), that will load the Dependency Scanning report
- no changes should be needed for the SAST panel
Note: we'll keep a single job
sast for the first iteration, since it is simpler to achieve. It will create two different reports as separate artifacts, each of them will feed the specific MR widget.
This is just to give an idea of the final result, it should be replaced by a proper design when ready:
Pipeline widget reference
- DAST will be the last element in the "list"
- Dependency Scanning
- Container Scanning
- DAST will not report "by analyzing the review app" text
- In CI View we will limit the height of each report to a scrollable 500px
Show complete code vulnerabilities reportin #4310 will link to expanded section of report in security tab of this view