Secure section terminology

Problem to solve

Our UI and documentation use inconsistent terminology across different areas, which can create confusion. For example:

• Vulnerability Report UI refers to Scanner as GitLab
• Vulnerability Detail UI refers to Scanner as ESLint 

Note: While #503371 (closed) has already introduced the new Report Type and Scanner filters, removed the Tool filter, and updated some UI elements and docs, there are still places where outdated or unclear terminology remains. This issue focuses on identifying and updating those remaining areas to fully align with the standardized terms.

Proposal

1. Standardize Key Terminology

To maintain consistency, we should define and use the following terms:

• Report Type: The category of security testing (e.g., SAST, Container Scanning).
• Scanner: The specific scanning engine/program that performs the analysis (e.g., ESLint, Gemnasium).
• Vendor: The company that provides the scanner (e.g., GitLab, Veracode).
• Identifier: Standardized vulnerability references (CVE or CWE).

We will phase out the following terms:

• Tool -> Replaced by Report Type or Scanner where applicable
• Analyzer -> This term will only be used in the development docs only.

2. Documentation Cleanup

We will use the Security Glossary as the Single Source of Truth (SSOT) for user-facing terminology. Developer-facing terminology can remain in dev docs where needed (e.g., "analyzer").

To do:

• Identify and update other places where these terms are used inconsistently
• Review and refine the following handbook pages:
• https://docs.gitlab.com/user/application_security/vulnerability_report/
• https://docs.gitlab.com/user/application_security/terminology/
  • Report Type or Scan type?
    • https://docs.gitlab.com/user/application_security/terminology/#scan-type-report-type
  • Scanner:
    • https://docs.gitlab.com/user/application_security/terminology/#scanner
    • https://docs.gitlab.com/user/application_security/troubleshooting_application_security/#logging-level
  • Vendor:
    • https://docs.gitlab.com/user/application_security/terminology/#vendor
  • Identifier:
    • https://docs.gitlab.com/user/application_security/terminology/#primary-identifier
    • https://docs.gitlab.com/user/application_security/terminology/#cve
    • https://docs.gitlab.com/user/application_security/terminology/#cwe
  • Analyzer:
    • https://docs.gitlab.com/user/application_security/terminology/#analyzer

3. Align UI Terminology

Report Type

• Identify remaining places in the UI where Report Type should be shown or renamed

Scanner

• On-Demand Scans (New On-Demand Scan)
  • Shows as: Scan Type: DAST Question: should this be Report Type instead? What is the difference? Also see: https://docs.gitlab.com/user/application_security/terminology/#scan-type-report-type

Vendor

• Vulnerability Report Page
  • Shows as: WIP - @charlieeekroon
• Individual Vulnerability Report
  • Shows as: WIP - @charlieeekroon

Identifier

• Vulnerability Report Page
  • Shows as:
    • Column Header - This displays two different things: an identifier code, and a Scanner Specific Identifier.

Question: Is this clear to the user? Shouldn't we always only show the Common Vulnerability Identifier?

• Individual Vulnerability Report
  • Shows as
    • Header. This displays two different things: an identifier code and a Scanner Specific Identifier.

Question: Is this clear to the user? Shouldn't we always only show the Common Vulnerability Identifier?

• Add vulnerability finding
  • Shows as: Header. The user can fill in an identifier code and an identifier URL.

Question: Do we mean with Identifier URL e.g: https://security-tracker.debian.org/tracker/CVE-2017-18269 ?

Analyzer

• Security Configuration
  • Shows as
    • WIP - @charlieeekroon - To be removed?

Tool

• Security Page / Pipelines / Security Tab

  • Shows as: - Plain dropdown
  • Notes: - We eventually want to migrate this page to use the filtered search component, similar to the Vulnerability Report (Filter/Search Vulnerability Findings (&17642) • Unassigned) - In the meantime, a question was raised: would it make sense to already update the wording of the dropdown title from Tool to something more specific, like Report Type/Scanner, to align with the idea of using more consistent terminology across Secure and removing the term tool where possible? - Additional issues, epics and discussions:
    • [Beta] Validity checks (&16927) • Serena Fang • 18.5
    • Filter/Search Vulnerability Findings (&17642) • Unassigned
    • &16927 (comment 2468284544)
    • #534478 (comment 2474537505)
    • #534478 (comment 2474645481)
    • #534478 (comment 2475626425)
    • #534478 (comment 2475658034)
    • &17642 (comment 2474850589)
  • 

• Vulnerability Report Page / Development Vulnerabilities (Group Level)

  • Shows as:
    • filter, group by filter

• Vulnerability Report Page / Operational Vulnerabilities (Group Level) (Example URL),

  • Shows as:
    • group by filter

• Security Inventory designs - The section currently titled Tool coverage should be renamed to Report type coverage to reflect our standardized terminology.

Next Steps

• Create child issues for concrete actions to break this down into more manageable tasks.
• Answer the open questions listed in this issue
• Go through UI, to find possible other places of misuses of the terminology