Improve vulnerability triage by leveraging codeowners

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Release notes

Problem to solve

For big project like GitLab, it is likely to have several teams sharing the same project and owning different parts of the codebase.

When it comes to vulnerability reports, there is no way to split the results and all teams have to look at the complete report of vulnerabilities.

This makes it very inefficient to distribute the triaging task among the relevant teams.

Proposal

We could leverage Code owners to find the relevant people to triage a given vulnerability.

Example workflow:

1. vulnerability X is created and impacts foo/bar/baz.rb file.
2. we lookup corresponding codeowners for foo/bar/baz.rb file (or parent directories).
3. if codeowners are identified, we add a comment in the vulnerability (using security bot?) that pings them and ask for triaging.
4. codeowners receive a notification (todo/email)

Note 1: that this would only work for vulnerabilities that can be associated with a file that belong within the repository (e.g. SAST, Secret Detection, Dependency Scanning, etc.).

Note 2: for MVC ping in comment might be good enough but maybe could think about having assignee to vulnerablities?