Split the Tool filter into Scanner and Report Type filters
This issue is part of #503371 (closed)
The previous Tool
filter will be split up into two filters: Report Type
and Scanner
. We already support scanner
and report_type
as arguments in the GraphQL schema, and the backend already provides a way to retrieve all scanners for a project.
- Scanner (Tool/Analyzer): Refers to the specific software used to perform the scan (e.g Advanced SAST, Gymnesium, Trivy, or GitLab SBOM Vulnerability Scanner)
- Report Type: Refers to the type of scan or vulnerability category, (e.g. SAST, DAST, SCA, Secret Scanning, or API Fuzzing)
Both filters will support multiple selections, enabling users to refine results with combined criteria.
This issue will also address the bug where we the Tool filter wasn't working correctly. With the Tool filter we were showing incorrect results because we assumed each scanner produced only one type of vulnerability, but some scanners (e.g. GitLab SBoM Vulnerability Scanner) generate multiple types (e.g., Dependency Scanning, Container Scanning). The filter was only sending the scanner argument to GraphQL without the report_type argument, causing incomplete filtering. By splitting up the Tool
filter we no longer face this issue.
Relevant links
- Parent Issue: Allow the Tool filter on the vulnerability report to have multiple occurrences of the same scanner for different report type
- Implementation Plan of Parent Issue: Add Scanner Filter and Report Type Filter
- Discussion on creating this follow-up/seperate issue: Rename Tool to Report Type + add feature flag vulnerability_report_type_scanner_filter MR
- Spike to determine how to add Scanner filtering on Group and Enhancement level #515333
Verification steps
Report Type Filter:
- Open your browser and visit https://gitlab.com/gitlab-org/govern/threat-insights-demos/personal-test-projects/webgoat.net/-/security/vulnerability_report/
- Look for the
Report Type
option when you open the Search/Filter menu. It should appear alongside other filter options. - After clicking
Report Type
, you'll see a list of available Report Types you can filter by. Please note that only the Report Types should be shown, not the scanners. - Pick any Report Type from the list. Only the reports that have this Report Type, will now be shown. When looking at the Filter/Search bar, you should see: "Report Type || [your selected report type]"
Scanner Filter:
- Open your browser and visit https://gitlab.com/gitlab-org/govern/threat-insights-demos/personal-test-projects/webgoat.net/-/security/vulnerability_report/
- Look for the
Scanner
option when you open the Search/Filter menu. It should appear alongside other filter options. - After clicking
Scanner
, you'll see a list of available scanners you can filter by. - Pick any scanner from the list - you'll notice the Filter/Search updates to show "Scanner || [your selected scanner]".