Auto-remediation Beta
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem to solve
Composition Analysis is introducing a new concept to our product. Auto-remedation was only supported for yarn, though it was not widely used and produced mixed results. With the rollout of our new DS Analyzer and deprecation of Gemnasium auto-remediation support for yarn will be removed. We should add beta support for auto-remediation to continue to evolve our product to meet user expectations.
Proposal
Create a language-limited beta of auto-remediation. We should focus on Python as an entry point, with additional language support coming in GA.
- Focus on one package manager / language (Python)
- Use LLM to establish safe version
- Create diff of manifest file using GitLab's API
- User triggers the MR creation via button interaction on vulnerability
- MR creation by Security Bot
- Update Vulnerability Status in the Vulnerability report
- CVS-created vulnerabilities should be auto-remediated
- MR approval policies defined at the project level will be applied
- Global configuration to turn On / Off
- On / Off configuration at project level*
- Patch and minor version updates
Configuration [Beta]
Enable/Disable of feature
Users should be able to enable Auto-Remediation at the Organization level to allow for global rollout across an organization.
Organizations should be able to turn off Auto-Remediation for specific project. There may be critical projects that mandate human intervention when remediating vulnerabilities.
Note: there will be other forms of configuration supported in GA.
MR Creation Cadence
Users will expect an MR to be created immediately after initiation.
MR Author
The author of the Merge Request should be a Security Bot.
Vulnerability status
We should create one new status: Auto-Remediate (working title, if there are other suggestions advise).
When a vulnerability is identified as a candidate for auto-remediation then we should put this into Auto-Remediate status until the MR is merged. Upon merging the MR the status should be changed to Resolved.
Reporting
Show in Vulnerability Report with an indicator that it was auto-remediation. NOT in scope for groupcomposition analysis is FE work. This was called out because we need some way to track the vulnerabilities that are auto-remediated.
MR Approval Policies
Auto-remediation should adhere to the MR approval policies that have been defined at the Project level.
Outstanding questions*
- For On / Off configuration - is there less effort in allowing users to turn this on only for specific projects? My fear is that if we only allow users to enable this at the group level they may have projects where this functionality should not run.
- Does this functionality need to be isolated to focus on Dependency and Container scanning results separately? The answer to this question will impact MVC definition. If this needs to be isolated between the two, then we should focus on Dependency Scanning first and then add support for Container Scanning.