Spike: Continuous Vulnerability Scans should not require a pipeline with a user ID
Problem to solve
The following discussion from !128170 (merged) should be addressed:
-
@bwill started a discussion: (+2 comments) Question: How are we doing to have access to a pipeline model? I thought the intent of CVS was that it should be separate from pipelines? It looks like the only thing we use the pipeline for is getting the
user_id, so perhaps we could use an internal user instead?
Proposal
Using an internal user as the author of vulnerabilities provides some benefits:
- It provides a way to track what vulnerabilities were created as part of a continuous scan.
- It provides clarity. A user will never have to wonder why it shows that their account created the vulnerability.
It's also proposed that a threat model is completed, or an existing one referenced, to account for potential security risks.
Implementation Plan
TODO
Edited by Fabien Catteau