Discuss new UX for enabling Dependency Scanning in CI pipelines
Problem to solve
The current UX for enabling and configuring Dependency Scanning in CI pipeline doesn't seem optimal.
- It contributes to the complexity and the maintenance cost of the Dependency Scanning CI template and the Gemnasium analyzer.
- It has compatibility issues with a significant amount of GitLab projects (mostly because of language versions, build tool versions, and system dependencies), and doesn't offer good workarounds for these.
Further details
TODO: elaborate on the problem to solve
Context
Today Dependency Scanning (DS) jobs upload a CycloneDX SBOM and a DS Report. However, the GitLab backend will no longer need DS reports once CVS Trigger vulnerability scans on SBOM changes (&8026) is completed.
Related to this, we're considering supporting CDX SBOM generators other than Gemnasium (in-house solution), or even replacing Gemnasium. Related issue: #434143 for replacing Gemnasium by native generators, that is generators implemented using the language they support. (Other generators like Trivy, Syft or cdxgen support multiple languages and aren't native.)
Software Composition Analysis already uses Trivy as an image scanner.
GitLab has introduced CI/CD components, and these might be more granular that the existing CI templates.
Proposal
As part of this issue, groupcomposition analysis engineers discuss a new UX for enabling Dependency Scanning in CI pipelines, and suggest UX changes.
Ideally there's one thread per aspect of the UX. discoto is used to update the issue description with a table of contents.
The UX changes approved by Product will then be used to establish a migration path and a roadmap. (This is not in scope.)
/cc @johncrowley @thiagocsf @gonzoyumo
🤖
Auto-Summary Discoto Usage
Points
Discussion points are declared by headings, list items, and single lines that start with the text (case-insensitive)
point:
. For example, the following are all valid points:
#### POINT: This is a point
* point: This is a point
+ Point: This is a point
- pOINT: This is a point
point: This is a **point**
Note that any markdown used in the point text will also be propagated into the topic summaries.
Topics
Topics can be stand-alone and contained within an issuable (epic, issue, MR), or can be inline.
Inline topics are defined by creating a new thread (discussion) where the first line of the first comment is a heading that starts with (case-insensitive)
topic:
. For example, the following are all valid topics:
# Topic: Inline discussion topic 1
## TOPIC: **{+A Green, bolded topic+}**
### tOpIc: Another topic
Quick Actions
Action Description /discuss sub-topic TITLE
Create an issue for a sub-topic. Does not work in epics /discuss link ISSUABLE-LINK
Link an issuable as a child of this discussion
Last updated by this job
- TOPIC Language detection #458920 (comment 1887298684)
- TOPIC Target path #458920 (comment 1887303388)
- TOPIC Offline support #458920 (comment 1887304217)
- TOPIC Filter dev components #458920 (comment 1887308408)
- TOPIC Language version #458920 (comment 1887314095)
- TOPIC FIPS support #458920 (comment 1887320228)
- TOPIC Configuration of CLI that exports dependencies (Gemnasium) #458920 (comment 1887326906)
- TOPIC Configuration of CDX generator #458920 (comment 1887329762)
- TOPIC Releases, compatibility, and maintenance #458920 (comment 1887339369)
- TOPIC Proposal #458920 (comment 1902599432)
- TOPIC Types of SBOMs #458920 (comment 1903357704)
- TOPIC Container Scanning #458920 (comment 1903363621)
Discoto Settings
---
summary:
max_items: -1
sort_by: created
sort_direction: ascending
See the settings schema for details.