The GitLab Slack App Integration allows users to select notifications for new vulnerabilities for all branches. However, only vulnerabilities added to the default branch trigger slack notifications. This seems to be related to the fact that the vulnerability report only considers the default branch to look for "new" vulnerabilities.
Problem to solve
In GitLab Slack App integration, vulnerabilities in other branches (other than the default) do not trigger slack notifications. However, the UI indicates that this is possible, by presenting the option to select "All branches".
Proposal
I see two options here:
Make the feature send vulnerability notifications for all branches, OR
Disable the option "All branches" when the vulnerability trigger is selected
@b_freitas We are testing notification for Secret Detection vulnerabilities and would like to have the notification enabled for feature/all branches (not just default branch) if a secret is detected after changes are pushed to the repository. This way we can catch, report and fix the leak before feature branch is merged into main branch. Do you know if notification for vulnerabilities in feature/all branches will be enabled and if so what would be the timeline for having this feature enabled from Gitlab?
Secret Detection feature in Gitlab does not fail the build but does report detected secret as a critical vulnerability in the Security tab of the pipeline. If the build is successful but a secret is detected, would the vulnerability notification feature still send notification about the vulnerability or does this feature only work when the build fails?
Do you know if notification for vulnerabilities in feature/all branches will be enabled and if so what would be the timeline for having this feature enabled from Gitlab?
@m_frankiewicz would you be able to give some insights on the next steps for this issue?
If the build is successful but a secret is detected, would the vulnerability notification feature still send notification about the vulnerability or does this feature only work when the build fails?
The vulnerability notification feature should send the notification even if the build succeeds, as long as the triggering criteria is met (new vulnerabilities detected).
@b_freitas@sthacker this looks like specifically related to Secret Detection feature, owned by groupsecret detection, I see @smeadzinger have seen this already and linked other related issue. Sara do you have plans to adjust this notification in Slack app and send vulnerability notifications for all branches?
If not, we can remove the possibility to select branches from UI. @b_freitas I see you've adjusted the text of the checkbox already
In general, when it comes to adding new notifications, we are awaiting Notification Center that grouppersonal productivity plans to work on and won't be adding new notifications before that ships.
Hi @m_frankiewicz based on how GitLab has defined the term "vulnerability," it only relates to things that have been detected on the default branch. Things that have been detected on other branches are "security findings." Likely a webhook or API would need to be updated in order to send findings from all branches.
We'd likely need to first have the vulnerabilities stored in the database for additional branches before we can send the data. There may be other approaches, but at the moment that's why we limit to the default branch.
All other security findings are detected and aggregated based on realtime security scan report artifacts and compared in the pipeline to diff directly between branches.