Vulnerability Report option to view tags
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Release notes
Problem to solve
Today, the Project Vulnerability Report shows vulnerabilities only for the project's default branch. This works well for organizations where what is in the default branch is the same as what gets pushed to production. But this does not cover the need for organizations using a CD process where tagged commits are the SSOT for what is in prod. We need to offer a way to switch the Vulnerability Report view to a specific tag.
Intended users
- Cameron (Compliance Manager)
- Sam (Security Analyst)
- Rachel (Release Manager)
- Alex (Security Operations Engineer)
User experience goal
A user can quickly switch the Vulnerability Report view to a tagged commit. All vulnerabilities displayed update to reflect only the results from this tag. This includes the severity count tiles at the top, the vulnerability list, as well as what gets exported when downloading the CSV report.
When I have switched to a tag, there needs to be a clear visual indicator that I am not looking at the default branch anymore. I would also want my selection to persist until I change it. That means if I change to a specific tag on a project's Vulnerability Report, I can navigate away, come back to this page later and see the view is still showing results for my selected tag. Changing the view to this tag does not affect the view for anyone else. It also does not affect the view for any other project.
Proposal
Evaluate if it makes sense to allow changing to any tagged commits. It may be a better user experience—and more sustainable for high-throughput projects—to only show certain tags. In the latter case, we'll need a way to determine which tags to show. We also need to consider that persisting vulnerability findings for all tag commits is likely to greatly increase database storage needs. This could be a forcing function for a user-controlled or regularly-scheduled cleanup mechanism for old tags.
In addition to the required UI work, we also need to provide an API customers can use to pull the same vulnerability information from their tagged commits.