DESIGN: Vulnerability dismissal requires approval
Problem to solve
Anyone with at least a developer access can dismiss vulnerabilities in any of the Security Dashboards. This creates a lack of accountability and oversight in managing vulnerabilities.
Intended users
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
Further details
We already have Security Approvals at the Merge Request level, where a group of users is required to approve any finding with a Critical, High, or Unknown severity. Even dismissed findings with these severities still requires approval before merging is allowed.
However, we don't have any control on dismissals outside of the MR. Anyone with Developer access can freely dismiss vulnerabilities in Vulnerability Reports (formerly Security Dashboards, which show vulnerabilities already in a project's default
branch). This change can go under the radar of the Security Team because we don't yet have an audit trail and no approval is required to dismiss a vulnerability.
Proposal
We need a way to optionally require approval before dismissing a vulnerability from a Project, Group, or Instance Vulnerability Report. We need to consider having this be a setting or rule that can by applied top-down so that users with many hundreds or thousands of projects can enable it globally. Overriding or making specific adjustments at the Group and/or Project level will still be necessary.
It may not be the right long-term approach but we should consider whether we can leverage the existing security approver groups. We might use them as the same approvers for vulnerability dismissal approvals.
This issue is to gather discussions to solve this problem.
Permissions and Security
TBD
Documentation
TBD
Availability & Testing
TBD
What does success look like, and how can we measure that?
- Better isolation of privileges for security interactions
What is the type of buyer?
Links / references
/cc @andyvolpe following our discussion today.