User awareness of projects with vulnerability-check
Problem to solve
Context: we currently have the Vulnerability-Check
at the project level. This will disallow a merge request if a Critical, high, or unknown severity vulnerability is detected (regardless of dismissal). Issue part of: &3202 (closed)
Problem: the feature is not visible in the UI, unless activated, therefore it’s hard to know if the project is set up with the check. #31922 (closed) and #213707 (closed) aim to help surface the check for configuration and developer awareness. If a user wanted to set up the check across multiple projects, they would need to do so project-to-project vs being able to select multiple projects to apply the rule to. Even if they set up the rule across multiple projects, there is no overview of what projects have the rule enabled (again would need to be project-to-project).
Intended users
- Cameron (Compliance Manager)
- Delaney (Development Team Lead)
- Devon (DevOps Engineer)
- Sam (Security Analyst)
- Rachel (Release Manager)
- Alex (Security Operations Engineer)
- Simone (Software Engineer in Test)
- Allison (Application Ops)
User experience goal
Allow users to see across multiple projects, which are configured with the Vulnerability-check
.
Proposal
- Display at the group (or instance?) level what projects have the
Vulnerability-check
rule enabled. - Provide a link to settings where the user may configure the feature
Further details
Issue part of introducing group-level security check: &3202 (closed)
Permissions and Security
...
Documentation
Availability & Testing
...
What does success look like, and how can we measure that?
- Can the user identify which projects have
Vulnerability-check
enabled? - Can the user find where to identify which projects are enabled (info-architecture of awareness UI)
What is the type of buyer?
Is this a cross-stage feature?
This a cross-stage feature for devopssecure as it is related to the scanning results of all but license scan. Additionally, it will affect the merge request experience, configuration page, and vulnerability management ~"devops::defend"