Inform users when a publicly known widespread issue is present in their project
NOTE if you are a user who also would like to see this feature, please UPVOTE
Problem to solve
In critical situations, we should be able to decide to force a check on SaaS users. it should be at no cost to the user (gotta figure this out) and be non impactful but informative.
Inform users when a publicly known widespread issue is present in their project
Occasionally there are widespread issues in dependencies that urgently need attention. These are so severe you don't always want to rely on users having setup / done the best practices. For example, heartbleed and https://thenewstack.io/github-open-source-projects-entangled-by-the-octopus-malware-scanner/
Users may be unaware if or which of their projects are impacted. we should provides methods to help with this.
Intended users
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
- Alex (Security Operations Engineer)
Proposal
MVC - use existing data for SaaS when GitLab decides to (i.e. major breach announced in a library) for impacted dependencies in projects to force some kind of check against the known data and then show warning to impacted users along with the date (how current the data is) this would only be used in critical situations, we would usually rely on users having best practices in play.
related but not directly in scope - allow users to schedule their own full project scans (issue in backlog) with ghost or background pipelines to make sure they are informed of all newly found / announced issues.
related but not directly in scope - push notifications (issue in backlog)
Further details
Documentation
yes
Availability & Testing
yes