Data model to store security scanning results
Problem to solve
Right now the security reports presented in projects, MRs and pipelines are loaded from the JSON artifacts generated by SAST, DAST, Dependency Scanning (DS) and Container Scanning (CS). We can't implement the group-level the same way because there would be too many artifacts to fetch and load. The solution is to store the security results in the DB and serve this data to the frontend via the API.
This issue addresses the first step: design a data model to store the security scanning results (SAST, DAST, DS and CS) and retrieve them efficiently.
- feed the database automatically using the generated artifacts
- leverage the DB to implement the group-level security dashboard
- rewrite the existing security dashboard & reports using the DB to make them more efficient
These are out of the scope of this issue.
We can possibly leverage the new data model to better track the vulnerabilities that have been dismissed. See #6590 (comment 92061498)
Here are a few links on how it currently works: