Show the detailed status of security testing in the merge request
Problem to solve
Currently, we show the security reports component of the merge request widget only when at least one job creates a security report. We then show the overall security status based on the available reports.
Even if this is a good approach, it's not very complete. It says nothing about the status of the security checks process, and nothing about the expectations.
Since users will take decisions based on what they see in the security report, they need a clear status there.
If the pipeline has multiple security test jobs (e.g., sast
and dependency_scanning
), there is a moment where the sast
job is over and the MR reports no security flaws.
But dependency_scanning
still have to complete, and we cannot assume the outcome.
Stating that security checks reported no vulnerabilities is misleading. This is only possible to know when the pipeline completes all the security testing jobs.
It's valuable to have results in advance, so we should continue to show results as soon as they are coming. But we should also warn users that the results are not complete yet.
This is also true for one specific report, for example if you have multiple jobs creating multiple sast
reports.
Proposal
Reflect the current status of the security checks process in the merge request.
- Identify if security testing are expected (inspecting the pipeline configuration), and which ones
- Show the status of the security testing process, based on the related jobs
- process is waiting to start
- process is running
- process is over (failed, succeded)
- Show the status of the security (detected vulnerabilities, severity) - this is the only thing we have today
If expanded, each section (SAST, DAST, etc) will show the information for its specific process.
SAST Running | SAST Failure | All test complete |
---|---|---|