Add scanner name with version and definition version to the Merge Requests and Pipeline

Problem to solve

Add additional data within the Merge Request and Pipeline to include the version number of the scanner and the version of the definition file being used.

In the wake of SolarWinds hack and the Colonial Pipeline hack and the US Presidental Executive Order around Securing the Supply Chain, there is increased visibility and ensuring that the security teams approving code have relevant and adequate information to quickly determine everything correct to the best of their knowledge. GitLab needs to be very transparent around these versions being used to best inform the approvers using them.

Intended users

All

Further details

  • Some kind of details provided here (perhaps the "Blue ?" can provide these hover-over details) and/or a Hyperlink on "SAST", "Dependency Scanning", "Container Scanning" names within MR to provide more details. Screen_Shot_2021-05-26_at_11.32.31_AM

  • Ideally from the pipeline, it would make the most sense to update the Security Tab within the Scan Details section to provide some more context. For example in the screenshot below it just says: "SAST", "Container Scanning", "Dependency Scanning" but ideally we should say which scanner(s), what versions, and what definitions provided these results. Screen_Shot_2021-05-26_at_11.41.42_AM

  • Within the raw output from the pipeline we seem to capture the scanner version but not the definition version (which may or may not be an issue) Screen_Shot_2021-05-26_at_11.40.33_AM

Proposal

Include additional details within the MR and Pipeline to display scanners, scanner version, and scanner definition version (if applicable).

Permissions and Security

no changes

Documentation

Testing

What does success look like, and how can we measure that?

  • Users can tell the type of scan, the scanner, and the version responsible for the finding within the MR and Pipeline.

  • Is it auditable, do we retain this data in the logs if some kind of supply chain attack occurred?

What is the type of buyer?

  • Security First (Security has the final approval of merges)

  • High-Risk environments (Finacial, Public Sector, Critical Infrastructure)

  • Getting Security Adoption of GitLab within enterprise customers

Links / references

Edited by Olivier Gonzalez