Include SAST findings inline in the MR Changes tab (diff view)
Proposal
Include SAST findings in the Changes tab of the MR, as is currently done for Category:Code Quality. This means that the SAST findings identified in a given MR's SAST scans would appear in the Changes tab on the line to which the finding applies.
Details
- Code Quality and SAST findings may be presented together or separately, depending on UX design and Development feasibility. (Either is acceptable as a first iteration from a Product perspective.)
- It is acceptable to equate severity levels if needed (for example, defining Blocker and Critical to be equivalent). In the future we may make certain requirements on what values can be present, but today the allowed values are defined for Code Quality and separately for all Secure analyzers.
-
Note from UX:
Ideally, security and code quality findings should appear in separate lists (see design for reference). Generally speaking security findings and code quality findings may be addressed separately. Combining them into a single list will reduce developer efficiency and add mental strain.
- This feature will be available for GitLab Ultimate because it relies on Ultimate-only features to process Sec analyzer outputs. As with all features, we may revisit this tiering decision in the future.
- Clicking on a security finding should open a vulnerability details modal
Additional details should be added here as questions are identified and decisions are made.
Out of scope
- Secret Detection is not in the initial scope because SAST findings are likely harder to understand without the context provided by the diff view. However, Secret Detection would be the natural next data source to plug into this view.
-
Fixed issues are also not shown in this iteration; the initial focus is on new issues added in the MR. New findings are more important to fix now, while resolved findings are sort of "extra credit".
- However, the API design for this feature (#389867 (closed)) should return resolved findings as well, making this a potential future iteration. Showing that you've resolved findings is a positive signal and can help demonstrate that SAST has driven a security improvement.
Related materials
- Original designs for inline findings: Design │ MVC │ Inline findings in the MR (#322689 - closed)
- Code Quality update efforts: Bring Code Quality inline diff display closer t... (#359847 - closed)
Edited by Connor Gilbert