Code Quality Dashboard

Problem to solve

Customers currently only have visibility in code quality improvements & decrements within an MR. Similar to the security dashboard, it would be hugely valuable to see the changes to overall code quality over time at both a project, group and instance level.

Intended users

• Rachel (Release Manager)
• Parker (Product Manager)
• Delaney (Development Team Lead)
• Dana (Data Analyst)

Further details/Use Cases

Use case - visibility of overall project health across teams and company.

As a Team lead I want to see an estimate for how long issues will take to fix so I can predictably schedule tech debt payment. - This came up with a discussion with @cherryhan about how we could estimate based on Time to Merge fixes of similar violations from OSS projects.

Proposal

Like the Security Dashboard, this is now a Code Quality or Health dashboard.

Permissions and Security

Documentation

Availability & Testing

What does success look like, and how can we measure that?

Success metrics: number of users using the feature, as part of SMAU.

What is the type of buyer?

Manager or Executive level dashboards.

Links / references

Related to: #8406

Create issues from Code Quality report Create a score from Code Quality

added typefeature label

changed the description

changed the description

added groupoptimize label

added Category:Code Quality devopsmanage labels

@jeremy may be interested in this and we can talk about how code quality reports can help drive Category:Code Analytics

This came from a conversation with customer: https://gitlab.my.salesforce.com/0016100001PrBWK who we previously engaged with regarding the VSM designs in depth with Virjinia.

They have a big focus this year on visibility across their teams. They have grown 4x in the past ~5 years which has brought challenges around visibility, measurability and consistency across their different teams. This is part of a 'health check' they want to be putting into place with their teams which will include architectural health of products, as well as other measures.

They are very happy/open to discussing the requirements in more depth with the product team.

Excellent as we get closer to validation i'll loop you back in. Once the code quality feature is released we'd love to hear how they are using it and what problems still exist or have popped up.

Thanks James. Do you have a link the code quality feature you are referring to?

I believe he’s referring to this #4189 (closed)

@simon_mansfield yep sorry I forgot the issue label.

added customer label

mentioned in issue #207752 (closed)

mentioned in issue #208615 (closed)

mentioned in issue #209698 (closed)

mentioned in issue #211274 (closed)

mentioned in issue #212098 (closed)

mentioned in issue #212791 (closed)

mentioned in issue #212804 (closed)

mentioned in issue #213480 (closed)

mentioned in issue #214171 (closed)

mentioned in issue #214941 (closed)

mentioned in issue #215807 (closed)

mentioned in issue #216402 (closed)

mentioned in issue #217262 (closed)

mentioned in issue #218181 (closed)

mentioned in issue #218923 (closed)

mentioned in issue #219676 (closed)

mentioned in issue #220710 (closed)

mentioned in issue #222210 (closed)

mentioned in issue #223629 (closed)

added direction label

mentioned in issue #225110 (closed)

mentioned in issue #226937 (closed)

mentioned in issue #230636 (closed)

mentioned in issue #232357 (closed)

mentioned in issue #233312 (closed)

mentioned in issue #235068 (closed)

added sectiondev label

mentioned in issue #237806 (closed)

mentioned in issue #240837 (closed)

mentioned in issue #243450 (closed)

mentioned in issue #246441 (closed)

mentioned in issue #249042 (closed)

mentioned in issue #254143 (closed)

mentioned in issue #257769 (closed)

mentioned in issue #261976 (closed)

changed the description

mentioned in issue gitlab-org/quality/triage-reports#470 (closed)

mentioned in issue gitlab-org/quality/triage-reports#530 (closed)

mentioned in issue gitlab-org/quality/triage-reports#606 (closed)

mentioned in issue gitlab-org/quality/triage-reports#665 (closed)

mentioned in issue gitlab-org/quality/triage-reports#672 (closed)

mentioned in issue gitlab-org/quality/triage-reports#705 (closed)

mentioned in issue gitlab-org/quality/triage-reports#794 (closed)

mentioned in issue gitlab-org/quality/triage-reports#853 (closed)

mentioned in issue gitlab-org/quality/triage-reports#943 (closed)

mentioned in issue gitlab-org/quality/triage-reports#1017 (closed)

mentioned in issue gitlab-org/quality/triage-reports#1081 (closed)

mentioned in issue gitlab-org/quality/triage-reports#1179 (closed)

mentioned in issue gitlab-org/quality/triage-reports#1238 (closed)

mentioned in issue gitlab-org/quality/triage-reports#1343 (closed)

mentioned in issue gitlab-org/quality/triage-reports#1403 (closed)

mentioned in issue gitlab-org/quality/triage-reports#1533 (closed)

mentioned in issue gitlab-org/quality/triage-reports#1577 (closed)

changed milestone to %Backlog

This was raised as a concern by https://gitlab.my.salesforce.com/00161000004zoBW when comparing GitLab's offerings against a competitor like Muse.dev

@jheimbuck_gl This issue was raised in detail by an Ultimate customer: https://gitlab.my.salesforce.com/0016100001EoV0N, comparing against Sonarqube.

They are especially missing management features (for example filtering by severity), explanations why the finding is an issue and context above a simple one liner.

@bittner Can you provide more context?

Thanks for the ping @mbruemmer and nice to meet you @bittner

We are working on some usability improvements to the merge request widget and full report to sort by severity in the current and future milestones that should help a little with the search for important violations to address.

We are also starting our first step in adding the code quality violation data to the MR Diff so code review is easier and the violations found are in context of the actual files changed.

I'd be happy to hear about additional use cases to better inform this issue! Thanks!

The usability improvements look promising. Especially the sorting, filtering, drilling-down is helpful to motivate all involved partied to address the (biggest) problems (first). That seems on track on the UX front, thank you! 👍 🎯

The hard issues we see are in the code quality scanning as such, though:

1. Technically, Code Climate runs in a docker-in-docker scenario. We have done a technical analysis on that and saw that this is a hard requirement due to architectural decisions (GitLab and Code Climate use containers to run things). We're a (large) financial institution and need to phase out Docker for security reasons, and use (e.g.) Podman to run tasks with unprivileged users.
2. Code Climate doesn't seem to cache the images it downloads to run its "engines". That results in a significant, recurring speed penalty, which is unfortunate (and probably not too difficult to fix with caching).

We've learned in our call with @mbruemmer that you're considering alternatives to Code Climate. You're also considering "offline mode", which would be a huge security advantage.

As a personal note, an alternative to dropping Code Climate might be to bring them into the discussion and verify whether they plan to modify their engine concept. We've seen, for example, that Sonarqube runs "as a monolith", architecturally speaking, hence wouldn't have the DnD problem, in theory.

marked this issue as related to #36907

marked this issue as related to #230557

Hi, we are currently filling up details for an RFP for a large opportunity in APAC and this feature is one of the requested features.

As quoted from the requirement doc, Describe how quality requirements and the overall quality of an application is tracked against a baseline.. Are there any updates to the estimated timeline on when the Code Quality Dashboard could be developed? @jheimbuck_gl

I think dashboard could be really useful for a lot of productivity engineers :)

CC - @r_williams @rhueston

@jonlimr

We are currently working on the first iteration in this epic. Since this was created Category:Code Quality has transitioned ownership to groupstatic analysis cc @tmccaslin.

@jheimbuck_gl Thank you!

@simon_mansfield @tmccaslin this issue seems like it has some overlap with the epic i created here: &3500. How can I help merge these so we have a SSOT for everyone to reference?

It certainly seems to have a lot in common with &3500 I agree. Is there anything that you feel is missing from that epic that's contained in here? Otherwise I'm happy for this to be closed and the epic become the SSOT.

unassigned @simon_mansfield

unassigned @simonwill and @suhegbu

added [deprecated] Accepting merge requests label

removed direction label

added devopssecure groupstatic analysis sectionsec labels and removed devopsmanage groupoptimize sectiondev labels

removed [deprecated] Accepting merge requests label

added code qualityreporting label

• Link to request: https://gitlab.my.salesforce.com/0014M00001gU9w0
• Priority: customer priority10
• Why interested: Upgraded to GitLab Ultimate for security features in order to move away from SonarQube
• Problem they are trying to solve: Aggregating Code Quality metrics
• Impact to the customer of not having this: Lack of visibility into code quality

This was raised by one of our customers as a high priority need. They want to move away from SonarQube but this is blocking them from doing so.

An 800-seat Premium customer feels they are unable to move to Ultimate without this functionality. Improving CQ across the entire engineering community is a key initiative for the CTO and they are using SonarQube as it provides the functionality described in this issue.

@r.leite we would like to push for this feature as well, developers within our company are looking to https://codescene.com/ to get this kind of information.

@connorgilbert Do you know if are there any plans to address this in the near future?

added groupsecret detection label and removed groupstatic analysis label

added groupstatic analysis label and removed groupsecret detection label