API to add additional content to pipeline security tab

Problem to solve

Users want to be able to run additional security tools and scans as part of their pipelines. Today, they can only do this by custom adding the scan to the pipeline and then reading the results directly from a JSON/CSV/etc file or if a comment is posted to an issue through some bespoke automation. Instead, they wish to be able to view these results directly in the Security tab of a pipeline, so they can remain in GitLab.

Intended users

• Sam (Security Analyst)
• Sasha (Software Developer)
• 3rd-party tool and service providers

Further details

Proposal

Introduce a new API that allows custom content to be added to the Security tab as part of a pipeline run.

Minimal

1. A new API is available for integrators to access.
   1. The API requires the following information to be submitted
      1. Tool name
      2. Tool image
      3. Authentication / authorization token
   2. The API allows the following information to be submitted
      1. Freeform text
      2. Tabular set of data to display
         1. If used, the column names and number of columns must be provided with the API (perhaps during integration installation?)
      3. Discuss and confirm this with the team
2. A new job is introduced into pipelines, which runs in parallel with other security scanning jobs
   1. This job pushes an event to all integrations subscribed to the API (such as through a webhook)
   2. Would love feedback here if this is the right way or we should do something different
3. A GitLab user must explicitly enable an integration to be able to subscribe to and push events through this API.
   1. This user must be an admin or maintainer of the instance or project.
4. Usage analytics reporting
   1. Record the number of integrations per-project
   2. Record the number of times integrators added content to an MR

Next / Follow-on

Permissions and Security

GitLab Ultimate

Documentation

Testing

What does success look like, and how can we measure that?

Number of times an integrator added content to an MR. Target => 10,000 in first 90 days after release.

• This will show that integrators are aware of and able to use the APIs as well as that end-users have successfully configured it and are using it as part of their own projects.

What is the type of buyer?

GitLab Ultimate

Links / references