Suggested Solution (was Auto-remediation): user awareness when solutions are available in dashboards
Problem to solve
The security dashboard (group and project level) security reports do not explicitly display or inform users when solutions are available to newly detected vulnerabilities. The user would need to sort through and select individual vulnerabilities to discover that a patch is available.
Further details
Additional context: in the upcoming auto-remediation MVC, if the feature is activated (it will create MRs automatically with solutions when available), then a banner will be displayed notifying user and linking to MRs with solutions (project level dashboard). There are two cases this issue aims to look at: 1) if auto-remediation feature is not turned on, but dependency scanning is configured, 2) surfacing when container scanning vulns-solutions are available (then create MR with solutions).
For dependency scanning vulns with solutions work better to create individual MRs vs. container scanning, where a consolidated MR would be easier for the user.
Intended users
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sam (Security Analyst)
Proposal
Display on vulnerability list when solutions are available. Allow users to create a merge request with the fixes.
Make user aware the setting (Only show once) | Show it in the list |
---|---|
![]() |
![]() |
Permissions and Security
Any user can create MR with solution
Documentation
...
Availability & Testing
...
What does success look like, and how can we measure that?
- Does the user know solutions are available upon landing on the dashboard page?
- Can the user create merge request with available solutions
What is the type of buyer?
Links / references
...
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.