Discovery, Auto-remediation: auto-merge merge request with fixes
Problem to solve
#36500 (closed) is an MVC for the auto-creation of merge requests
that contains fixes to known vulnerabilities. The problem is that the user must individually review the auto-created MRs and merge them. This leaves the user having to 1) proactively find the MRs (burdensome), and 2) then merging one-by-one (time-consuming).
Further context and details
- This is a follow-up discovery issue to the auto-remediation discovery #14059 (closed). In that discovery we focused on a path forward broadly and an MVC for
auto-creation of merge requests
with known solutions (#14059 (closed)). - There is UX research ux-research#530 (closed) underway looking at the MVC and to inform this discovery, which is focused on
auto-merging auto-created merge requests
. - Current auto-remediation capabilities will affect projects that are using dependency scanning and using yarn. As we evolve the UX for auto-remediation our objective is for a 1) generic auto-remediation UX that handles multiple capabilities (consistent UX across different capabilities) and 2) getting closer to out-of-box UX (meaning it works without configuration). Example of upcoming capability is #35433 (closed) (based on #9384 (closed)).
- Findability of auto-created MRs, based on #36500 (closed): user could identify an auto-created MR on the security dashboard, filter the MR list by
GitLab-autofix-vulnerabilities
, or see notification of MR banner on dashboard.
Intended users
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sam (Security Analyst)
Proposal
Iterating on our MVC, Let’s explore and focus on how we can auto-merge the auto-created merge request
. We also want to review the following:
- Filtering by auto-fix section: instead of relying on a label
- Re-evaluate auto-created MR author alternatives such as a ghost user or bot
- Getting closer to out-of-box UX, that is the feature is on by default
- User feedback from ux-research#530 (closed) study
What does success look like?
The team produces next steps that include:
- Improvements to the current MVC
-
auto-merge auto-created MR
MVC implementation plan/issue - Identify our hypothesis/questions and test for validity/clarification #36503
What is the type of buyer?
~Ultimate
Links / references
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.