Security & Compliance page for core users - Technical design
Why
This issue tracks the technical design for &4787 which exposes a Security & Compliance page fore Core users.
References:
-
https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/finders/security/security_jobs_finder.rb
- Lists scanners to query job status
-
https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/presenters/projects/security/configuration_presenter.rb
- Meta data for scanners
- Custom logic to override license compliance and inject DAST Profiles lines
Problems with the current configuration page code design
- The code is very rigid. It is difficult to add static content that isn't pipeline driven. (eg. adding DAST Profiles)
- The current configuration page has an issue where the status is incorrectly reported if the last pipeline run didn't contain security scans (eg. docs only pipeline)
Questions
- Should we follow the jobs_finder pattern or can we build more elegant APIs to run this page?
- For MVC should we build this page completely static?
Proposals
Option | Level of Effort | Complexity | Desire | Pros | Cons |
---|---|---|---|---|---|
Fully static | Low/Medium | Low | Medium |
|
|
Using existing pipeline driven backend | Medium | Medium | Medium |
|
|
Augmenting pipeline status with ci.yml parsing/JSON API | High | High | Short-term low, long-term, high |
|
Relevant links
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: -
Testing:
Implementation plan
Edited by Neil McCorrison