Auto Remediation: user awareness when solutions are available in merge request

Problem to solve

The merge request security reports do not explicitly display or inform users when solutions are available to newly detected vulnerabilities. The user would need to sort through the vulnerabilities in the MR reports one-by-one to discover that a solution is available (only seen in the details modal). Additionally, the vulnerabilities that include a solution are not aggregated.

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)

Proposal

When suggested solution exists to new commit in the merge request: add text to widget section “..<#> suggested solution..”. User then may commit the suggestions as needed and remediate the vulnerability before merged.

Here's where we are at: currently in workflowdesign, planning to be a follow up iteration for #12896 (closed) per &3373.

📽 view overview of problem-solution-ideation

Iteration v

Iteration III and iv

| **Iteration III:** Display explicitly in the merge request when solutions are available (newly detected/introduced vulns from MR commits only) | | ------ | | |

Iteration II feedback notes

Iteration II: Display explicitly in the merge request when solutions are available. Make fixes available to download.

Iteration II feedback notes from Secure/Defend UX review 01/29/20:

• Consider more whitespace between icons and vulns name
• Maybe a table could help or buttons for download actions
• Possible commit action for container scanning
• Preference for A, where the solutions are visible in MR (vs Security page)
• The section could include suggestions text and available

Iteration I and feedback notes

Iteration I: Display explicitly in the merge request when solutions are available.

Iteration I feedback notes from SCA team review 01/13/20:

• Dependency scanning fixes would need to be done is separate MRs (individually)
• Container scanning is ideal to apply fixes directly in MR (all together)
• Would be helpful to have patch downloads available
• Applies to newly detected/introduced vulns from MR commits

Further details

This is focused on empowering the developer, who is responsible for committing secure work. Another future consideration: a security rule could be created to enforce user’s to apply solutions.

Permissions and Security

....

Documentation

Testing

What does success look like, and how can we measure that?

• Does the user notice the available solutions section?
• Does the user understand the options available?
• Do the users complete the task (applying solutions) successfully?

What is the type of buyer?

Links / references

• Related UX epic: &2238 (closed)
• 🎥 related, auto-remediation walkthrough of current UX, MVC in progress, and additional context view conclusion walkthrough

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.