Improve handling of monorepos in Vulnerability Management
Problem to solve
Customers using monorepos* will have all security scan results presented under the same Project with no easy way to distinguish which application a vulnerability belongs to. This makes using the Vulnerability Reports and Security Dashboards challenging to use. It makes is harder to properly triage vulnerabilities as the results across all applications in the monorepo are mixed together.
*A monorepo is when a customer houses multiple different applications under a single Project, each in a different directory.
User experience goal
Provide a quick way to distinguish between logical applications in a monorepo when dealing with vulnerabilities. This includes from the Vulnerability Report and Security Dashboards. The mechanism should be flexible enough to show only the application(s) desired at a given time. It should also not interfere with or degrade the experience for users who do not have monorepos.
Focus should be at the Project level as this is where a monorepo lives and is currently a challenge to work with. The MR and Pipeline security experience should be taken into account as similar challenges will exist here. It likely does not make sense to carry this experience for monorepos to the Group level but the scenario should be investigated to rule it out.
The basic proposal is to create a filter and/or "search" option that allows separating applications in the same Project. This might be by directory, module, detected language type, etc.