Group-level Security Dashboard
Problem to solve
We have Security Dashboard MVC (https://gitlab.com/gitlab-org/gitlab-ee/issues/6709) for a single project, but Security teams normally want to have a wider view of Security for multiple projects at the same time, for example all the projects in a specific group.
Proposal
Implement the Security Dashboard as a group level feature. It is accessible at Overview > Security Dashboard.
The Dashboard is organized into three sections:
- a summary with a set of colored boxes, one for each severity level (Critical, High, Medium, Low, Unknown)
- each box has a different color
- each box contains the total number of vulnerabilities across all the projects in the group for the given severity
- these counters are not updated when results are filtered
- in this iteration, numbers are not clickable
- a filter bar
- users can filter by different properties (Severity, Project, Confidence)
- a list of vulnerabilities
- the list is organized into tabs (All, SAST, Dependency Scanning, Container Scanning, DAST) 1. TBD what about tabs where no data is available (missing feature/report) 1. clicking a tab "filters" by that source type only 1. tabs titles have numbers showing total
- for each row, information for the given vulnerability is shown 1. first line: vulnerability name (clickable, brings to details window) 1. second line: project name (TBD clickable, brings to the project-level security dashboard)
- action items are present 1. create an issue 1. dismiss vulnerability
- items are sorted by severity, TBD secondary value
- lists are paginated
The details window is the same used for security reports, but it contains also an additional entry with the link to the project.
Dashboard MVC Design
What does success look like, and how can we measure that?
People use the Security Dashboard to manage security of their projects. Measure the number of page views for the Group Security Dashboard.
Edited by Fabio Busatto