Add Additional Link To Vulnerability Report That Brings User To FIRST Commit Where The Secret Was Introduced
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Release notes
Our developers are having are hard time addressing historical secret detection findings quickly because currently the file location link only points to the most current commit. This is not helpful when the file where the finding is no longer exists in the latest commit or otherwise moved from first location. To fix this, an additional link is needed in the vulnerability report that leads developers to the initial commit where the secret was first introduced.
Problem to solve
As a developer, I want to be able to navigate to a historical secret's initial commit, so I can confirm if the historical secret has been rotated and no longer present else where in the repository.
Note
We should introduce this for all vulnerability types (not just secrets) if possible, per #339600 (comment 724111884).
Intended users
Anyone with a minimum role of Developer.
User experience goal
The user should be able to use the Gitlab UI's vulnerability report to navigate to the initial commit of a finding.
Proposal
An additional link is needed in vulnerability report findings that leads developers to the initial commit where a finding was first introduced.
Further details
N/A
Permissions and Security
Same permissions and security as developer role.
Documentation
https://docs.gitlab.com/ee/user/application_security/vulnerabilities/index.html
Availability & Testing
No risk to availability, testing is done within an existing feature.
Available Tier
Ultimate/Gold
What does success look like, and how can we measure that?
Success is achieved when an additional link is added to vulnerability report findings which brings the user to the initial commit of the finding.
What is the type of buyer?
Ultimate/Gold
Is this a cross-stage feature?
Don't believe so?
Links / references
Implementation Plan
- Determine if commit is already available in the API
- Following the designs below, link to the commit in the details > location section.
Per the note above, ideally we introduce this link for all vulnerability types, not just secrets.