Report false positives to GitLab in Security Reports

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Problem to solve

We don't have a feedback loop from our users on false positives in security reports.

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Devon (DevOps Engineer)
• Sidney (Systems Administrator)
• Sam (Security Analyst)

Further details

While users can dismiss findings and therefore mark them as false positives, we have no data on whether it's related to the context of the project, or a real false positive.

Proposal

We should let users reports issues in the rules used by our analyzers. We have a public project for Dependency Scanning but users are not necessarily aware of it. To report other problems, it's even more obscure, since an issue has to be created in the GitLab project itself with the right labels. We could provide a link directly to https://gitlab.com/gitlab-org/gitlab/issues/new with a new template specific to false positives.

Permissions and Security

TODO

Documentation

TODO

Availability & Testing

TODO

What does success look like, and how can we measure that?

• number of FPs being reported to GitLab by users.

What is the type of buyer?

GitLab Ultimate

Links / references