Provide JSON schemas for the Security reports

Problem to solve

Developers and integrators contributing GitLab security scanners can't easily check that the scanners they maintain generate valid, compliant Secure reports. They can't be sure that the output of their scanners integrate well with GitLab.

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Devon (DevOps Engineer)

Further details

To help integrator ensuring they are generating a compatible security report we need to provide a JSON Schema.

Proposal

Publish a base JSON schema all secure reports must validate, as well as specific JSON schemas corresponding to SAST, Dependency Scanning, Container Scanning, and DAST.

Keep the schemas with common library in a dedicated git repository. See #34652 (comment 234145253)

Automatic validation of generated reports using this JSON schema is covered by #34654 (closed).

Implementation plan

• Base schema
• SAST schema
• Dependency Scanning schema
• Container Scanning schema
• DAST schema

Permissions and Security

Documentation

• Update the Security scanner integration documentation, created as part of #34649 (closed), and point to this JSON Schema

Testing

Validate the presence of the JSON schema for security reports.

What does success look like, and how can we measure that?

Developers and integrators can easily check that the scanners they maintain generate valid Secure reports.

What is the type of buyer?

GitLab Ultimate mostly, could be for Core users too for SAST with #32602 (closed)

Links / references