🎨 Design: Security dashboard component - Total Risk Score of scope

What problem does the feature aims to solve?

AppSec engineers would like to understand their application / BU scope at a glance. The goal is to provide them one data-driven metric to reflect the whole risk of their app. This will allow them both to understand and compare their current risk to other apps/BU. This Dashboard widget will allow the user to very quickly understand the AppSec risk of the existing scope.

The formula will be shared in our documentation.

Goal

Users can measure their business unit risk score. Right now, this is number of criticals, highs, etc, all by severity alone. (Eventually, it may be a risk score incorporating multiple inputs; severity, KEV, EPSS, etc.)

What are the required timelines?

Q126

Who are the target audience for this feature?

AppSec manager/director of Ultimate customers 😄

Have we finalized what a "scope" means? If so, could you please reference to any documentation

Work in progress in this issue - the TLDR - a Ccope/View/App (name TBD) will be a collection of groups and projects.

This will be a collection of projects and groups that represent a business unit -- disconnected from the GitLab organization of groups/ projects. We can start with the current project/ group/ instance framework if needed until we have an application/ business-unit view (where the list of projects it contains can be more customizable).
First stage - introduce for group or project. Out of scope to enable removing certain projects.
Scale: 0-10 or 0-100: vulnerability research team should calculate this.
- Dean: "Essentially green is good and red is bad."
- Hover, It's important for us to also consider accessibility concerns on top of this, as not everyone sees red and green the same way.

🎨 Figma link: https://www.figma.com/design/Haz0Y4rAZUXvvipySp0y8R/Becka---Security-Insights?node-id=270-30966&t=nVU9VGLL8Cd7d6lM-4

******************

Jan 22, 2025: Notes from sync session with @svedova after identifying that the gauge charts in echarts are different from the gauge chart in gitlab-ui:

Bringing a new chart [from echarts] is absolutely possible and he doesn't think it's a task that expands to multiple milestones.
We went through the examples and we concluded that we don't have to bring in a new chart, we just need to change the gauge chart configuration to meet our design requirements.
Based on a quick search, it looks like we don't use the GlGaugeChart anywhere in the tool, so we can also change the default design for the Gauge chart without affecting other parts of GitLab.

Requirements

Responds to all page-level filters (Report type, Project(s)), except Activity (still detected/ no longer detected) and Status.
- Follow-up: Look into whether no longer detected should be a part of the risk scoring: &17002 (comment 2531681923)

Edited May 29, 2025 by Becka Lippert