Draft: Research: Vulnerability management in the pipeline security tab
Overview
We have a number of outstanding questions about how users use - and would like to use - the findings in the security tab of the pipeline page, and how it relates to and ties in with the workflows of findings in the MR and on the Vulnerability Report.
Some of the questions identified (from thread in [Spike - 1D] Add GraphQL mutations / fields to support the vulnerability modal's actions):
- How is the pipeline security tab currently used? What's working and what's not?
- In what ways should it be like the Vulnerability Report? In what ways should it be different?
- Note that it’s the only place in the product that currently offers a full view of both new findings in the branch and existing vulnerabilities from the branch's parent (default). How valuable is this? Keeping in mind that this is something we may be able to add into the Vulnerability Report; findings in a branch could be a filter on the Vulnerability Report.
- Do users want to be able to take actions on findings and vulnerabilities from the pipeline security tab? Would they want to dismiss or create an issue/MR from a finding in anything but the latest pipeline for the branch?
- How would they feel about being pointed back to the MR to take such actions, where they would have discussions/ comment threads?
- How do users want us to handle pipelines running without MRs? What would we do for a branch pipeline without an attached MR (that isn't run on the default branch)?
- How would they feel about being pointed back to the MR to take such actions, where they would have discussions/ comment threads?
- Do we need the security tab at all? Is this the ideal place to refer users to from the security widget in the MR, or should we introduce a security tab in the MR?
- We have to consider pipelines without MRs, but but we could add functionality to the Vulnerability Report (e.g. a filter letting the user narrow down to a particular pipeline or MR) rather than using the security tab of the pipelines page.
Persona
Sam, Security Analyst, and Sasha, Software Developer
Strategy
Option 1 - Survey sent to any Ultimate customers using Secure features
Option 2 - Moderated research sessions
cc @moliver28
Edited by Becka Lippert