@-Mention Slack integration

Release notes

With this change we expand notification events in GitLab for Slack app. Now you can trigger notifications for group mentions in issue and merge request descriptions, comments on issues, merge requests, and commits.

Description

An integration with Slack that creates a message in a particular channel for @-mentions of particular teams (ex gitlab-com/gl-security/appsec). Some additional information and history can be found in this previous issue describing this need for AppSec.

Why is this needed?

• Increases visibility for pings
• Makes it easier to collaborate/coordinate on who is going to handle these pings
• Allows us to use a or other indicator to make it clear that it has been reviewed
• (for AppSec) it's a core part of our triage rotation

What are the resource savings (time and cost)?

• Reduces team member time overlap in ping responses
• Reduces time other teams spend being blocked by or waiting for a response
• (for AppSec) Our current implementation is prone to breaking and is only accessible/fixable by a Senior Manager

Which team is requesting this?

AppSec specifically, although other teams would certainly benefit from it. @agroleau mentioned that this might even be a feature for the product itself.

What is your definition of done?

@-mentions for our group showing up in the #sec-appsec Slack channel

assigned to @adietrich

mentioned in epic gitlab-com/gl-security&178 (closed)

added to epic gitlab-com/gl-security&178 (closed)

assigned to @agroleau

assigned to @adietrich

mentioned in merge request !96684 (merged)

@mushakov @arturoherrero This seems to be in your wheelhouse? (TL;DR The AppSec team would like to be notified on Slack whenever their group is @-mentioned anywhere on GitLab.com.)

The Security Automation team has recently started looking into implementing this. It seems like this could be related, but not quite an extension of the Slack notifications we already have for project-level events. In addition to Slack, supporting other chat services in the future might make sense.

Do you have any guidance for us on how to proceed here?

@g.hickman @.luke Do you know if we have this feature as part of our epic &7536?

Oh wow, thanks for pointing out that epic!

@agroleau Looks like there's going to be a complete rewrite of the Slack integration (i.e. Removal of Slack Notifications Integration). Maybe we should think about an external automation focused on the AppSec use case, to solve their problem until the above epic gets implemented?

@arturoherrero @adietrich #353178 (closed) may be the closest, and a related issue #17958.

@.luke The AppSec request needs a group-wide notification (channel webhook, not DMs), because they would like to coordinate the response to @-mentions on GitLab.com.

@adietrich I see! Just to answer Arturo's question, I'm not aware of an existing issue for this.

@arturoherrero @.luke Thanks for checking!

@agroleau and I talked about this some more, and thought it might make sense to add this Group mentioned notification type to the existing Slack integration, so it can become part of the new design at some point in the future. WDYT?

@adietrich Apologies for the delayed response on my end. I was looking into this and it's an interesting request. We've been focused on surfacing notifications from key events within the product to Slack Channels and DMs, but haven't explored too deeply how we might hook into the Group / Project notifications (Preferences > Notifications).

I can see the value and have heard requests from customers to be able to essentially choose Slack as the notification option for notifications instead of email. I wonder if as an MVC we could start by defining a Group Webhook for groups/projects. This could be more generic for use in many systems and could give us the means to add it as an option to multiple chat integrations possibly

From there it's possible to enable webhooks in Slack a bit more manually as a starting point, but we could work on bringing it into the Slack integration itself in the future.

Thinking out loud, though. I would want more feedback from @arturoherrero and @.luke on this (cc @Andysoiron as Luke is ). @mushakov may also have thoughts on the impact to GitLab notifications generally.

I understand this is a new Slack trigger for mentions.

We need to work with UX to validate this approach, but I see that we need two input fields:

1. Handles to track: @arturoherrero, @gitlab-com/gl-security/appsec
2. Channels to notify: #alerts, #security, #development, #general

@g.hickman Thanks for your input! I like the idea of treating this in a more generic way, i.e. a project being mentioned might be as interesting for some users as a group being mentioned.

@arturoherrero I think the handle to track would be the group or project path where the new notification type of i.e. Mentioned is activated. My understanding of the existing integration is that the channel to notify is implicitly configured by the Slack webhook URL, but custom channels would be cool too.

I have implemented this (prototypically for comments) in this MR, but it does present a few usability issues (see this comment).

Would love some thoughts from the Integrations team on whether implementing this as yet-another-event-type (temporarily) seems feasible, we should go an entirely separate route, or this should wait for the full rewrite of the Slack integration.

but it does present a few usability issues

I've replied on the MR !96684 (comment 1124490397).

Would love some thoughts from the Integrations team on whether implementing this as yet-another-event-type (temporarily) seems feasible

@g.hickman The implementation in !96684 (merged) is to post a message to the Slack channel that says:

"Group <Group name with link> was mentioned in a <Comment with link> in project <Project name with link>"

when a group is mentioned in a comment.

What are your thoughts?

or this should wait for the full rewrite of the Slack integration

It should be okay to go ahead and do this before we finish &8670 (closed) as we're going to support all of the existing notification functionality initially at least.

@adietrich Hmm, a few questions that come to mind immediately:

1. How does a user specify the channel(s) they want group mentions to send to?
2. Could a group send notifications to multiple different channels or would it require only one channel?
3. Would this be enabled by default or is there a way to toggle the feature on/off?
4. There is the question Luke shared in the MR about public vs private projects and what we could/should expose in Slack channels.
5. Is this prototype working for you locally / within our Dev app? It may help to do a quick walkthrough video to see how this is working for you and consider any implications.

Otherwise, this does seem like a useful addition and great to see your team taking it up!

@g.hickman Thanks for the comment!

1. The current (WIP) MR uses the Slack webhook URL from the Integrations settings. The text field for custom channels exists, but is not used yet.
2. That's probably up to our implementation (see above).
3. The default for Mention events is off.
4. That's a very good point! I suppose a checkbox for i.e. Public projects only would be useful.
5. Right now it's working in my GDK. I can try to record a walkthrough video.

If we go forward with this particular approach, I will definitely need some help to address the usability issues I mentioned in the MR (and which hopefully will be visible in the walkthrough video soon).

Update for #1 and #2, according to Slack documentation:

You cannot override the default channel (chosen by the user who installed your app), username, or icon when you're using Incoming Webhooks to post messages.

So these settings apparently no longer work.

Edits:

It looks like the custom channel list is passed to the channel parameter of the slack-notifier for the existing event types, but this no longer works, at least in my test setup.

For #4, it looks like the usual approach is to implement a separate Confidential event version, i.e. Issue and Confidential issue.

Thanks for the responses @adietrich. I'll reserve any further feedback for the video you are working towards, but sounds like all is on track! If there's anything specific I can help with, let me know.

Adding the gitlab-com/gl-security/engineering-and-research/automation-team/automation~16948121 label to this, as discussed with @agroleau.

changed the description

marked the checklist item Investigate if/how custom channel settings are used by existing notifications as completed

changed the description

@ankelly Slack notifications that are configured at the group level are currently inherited by all subgroups. If we implement the new Mention event type consistent with that, arbitrary subgroups of gitlab-com/gl-security/appsec would also generate Slack notifications by default, when @-mentioned. You would be able to disable this for individual subgroups, though. Would that work for you?

That sounds fine for our use case, @adietrich!

changed the description

marked the checklist item Solve setting-inheritance usability issue as completed