Provide UI hint about 25 finding limitation in security MR widget
Proposal
In the !124920 (merged) MR we documented this limitation in the Ultimate section of the docs about viewing security scan information in merge requests:
The widget only displays the first 25 findings of each type, sorted by severity. To see all findings, select View full report to go directly to the Security tab in the latest branch pipeline.
When viewing the MR security widget in the UI, this limitation is not clear. This issue proposes adding some UI hint to clarify that 25 is not the total number of vulnerabilities that were found.
Without this UI hint, it can look like there is a large and unclear discrepancy between the number of vulnerabilities reported in the MR and reported on the pipeline's Security tab. This can be confusing especially for folks who are new to our scanners.
The need for this UI hint came up in a ticket that is available to GitLab team members with access to Zendesk.
💡 Ideas
A few ideas for what I think would be helpful here. These options are not mutually exclusive: we could implement multiple.
1️⃣ Add "at least" (or similar wording)
We say things like this today:
Security scanning detected 25 new potential vulnerabilities
SAST detected 25 new potential vulnerabilities
We could say something like this instead:
Security scanning detected 25 (or more) new potential vulnerabilities
SAST detected 25 (or more) new potential vulnerabilities
or:
Security scanning detected at least 25 new potential vulnerabilities
SAST detected at least 25 new potential vulnerabilities
Building on the suggestions in the issue, we could say:
Security scanning detected 25+ new potential vulnerabilities
SAST detected 25+ new potential vulnerabilities
or
Security scanning detected more than 25 new potential vulnerabilities
SAST detected more than 25 new potential vulnerabilities
2️⃣ Adjust the tooltip
There is an
3️⃣ Change Full report
We might change the Full report text to be a much stronger hint. When there are more vulnerabilities than can be shown, perhaps it says something more like: See all vulnerabilities.