Filter vulnerabilities in the Group Security Dashboard
Description
When dealing with group-level or instance-level Security Dashboard, users should be able to filter data in order to restrict the scope if they want. For example, they may need to search just for a specific project, or for a specific vulnerability. This should be possible from the UI.
Proposal
Implement filtering capabilities in the Security Dashboard.
- What severity of vulnerabilities are happening
- What report type they were found in
- What projects are affected
Usage details
- Measure how many times the dropdown is accessed (via Snowplow for GitLab.com)
Designs
| Dashboard with filters - first state |
|---|
 |
Filter detail
| Severity dropdown | Project dropdown <=20 projects available | Project dropdown >20 projects | Report Type dropdown | Hide dismissed toggle | |
|---|---|---|---|---|---|
| Design detail |  |
 |
 |
 |
 |
| Default behavior: | We will default to having all severity levels selected, and the user can toggle/uncheck which ones they don't want to display in the dashboard. | Since this is the group security dashboard, all projects by default should be included in the dashboard, and the user can uncheck the ones that aren't relevant to their task. | When the user has more than 20 projects in their group, we will change the dropdown to one that has a field for the user to filter their projects. This will aid in the ability to find specific projects the user wants to isolate if they should so choose. | We will display both SAST and dependency scanning, and the user can toggle on-or-off which ones they want to isolate if their task depends on that behavior. The goal is to keep the dashboard homogenous with all the vulnerabilities we can show the user. | We will default the "Hide dismissed" toggle to on and not show the dismissed vulnerabilities for the group. Users have already taken deliberate action to dismiss, and thus classify them as irrelevant to their project/group. By defaulting to hiding we are reducing the clutter of the dashboard, and aiding in the user's task of parsing active vulnerabilities. |
| Examples | If for instance, a user unchecks "high" then, the high severity count will =0, the line chart will toggle high to off, and all list items with severity=high will be removed. |
Checking or unchecking projects will show the relevant and displayable data for the user's project selection(s) | - | Selecting a specific report type will reload the dashboard with only vulnerabilities of that type. If there are none to display we will show our empty state when there are no vulnerabilities. | When the "Hide dismissed" toggle is on and the user dismisses a vulnerability, we should display a toast at the bottom left of the window, and reload the dashboard with the newly dismissed vulnerability hidden. See more below > |
Other detail
| Report type popover |
|---|
 |
| Dismissing a vulnerability with the "Hide dismissed" toggle active |
|---|
 |
| Once the user has clicked the dismiss vulnerability button, the dismissed vulnerability will hide and the list will shift up, adding 1 new vulnerability at the bottom of the list. The user will also see a toast appear with an ease-in animation from the bottom and display at the left-bottom of the screen alerting the user of their action. After a short while, the toast will ease-out with the opposite motion. |
| If the user has the "Hide dismissed" toggle off, no motion will be applied to the vulnerability and no toast will appear. The dismissed vulnerability will appear as they do today, with the button for dismiss changing to the undo icon |
Edge cases
TBD
Design Specs:
Edited by Andy Volpe