<!--IssueSummary start--> <details> <summary> Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards. </summary> - [Close this issue](https://contributors.gitlab.com/manage-issue?action=close&projectId=278964&issueIid=299490) </details> <!--IssueSummary end--> <!--The first section "Release notes" is required if you want to have your release post blog MR auto generated. Currently in BETA, details on the **release post item generator** can be found in the handbook: https://about.gitlab.com/handbook/marketing/blog/release-posts/#release-post-item-generator and this video: https://www.youtube.com/watch?v=rfn9ebgTwKg. The next four sections: "Problem to solve", "Intended users", "User experience goal", and "Proposal", are strongly recommended in your first draft, while the rest of the sections can be filled out during the problem validation or breakdown phase. However, keep in mind that providing complete and relevant information early helps our product team validate the problem and start working on a solution.--> ### Release notes <!--What is the problem and solution you're proposing? This content sets the overall vision for the feature and serves as the release notes that will populate in various places, including the [release post blog](https://about.gitlab.com/releases/categories/releases/) and [Gitlab project releases](https://gitlab.com/gitlab-org/gitlab/-/releases). "--> ### Problem to solve <!--What problem do we solve? Try to define the who/what/why of the opportunity as a user story. For example, "As a (who), I want (what), so I can (why/value)."--> In a monorepo, there is a need to segment aspects of scans and test reports based on parts of the repository (whether that is a specific file or application) rather than inherently all of the contents of the repository. In GitLab, reports are currently tied to artifacts and the artifacts are tied to the gitlab-ci.yaml file which is tied to the project, so this means that reports are viewed at the whole entirety of the project or source code repo. As GitLab is leveraged for more diverse source code and CI needs, we are missing the ability to scope CI Report Artifacts within specific areas of a repository. Currently all results for a given "report type" (i.e. `sast` or `junit` or [many others](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreports)) get merged into the same dataset. This is convenient when I want MANY jobs to funnel into a single report, but for when I want to have different Reports for different areas within a given codebase, I am unable to do so. For DAST, oftentimes the "Default Branch" will be used to deploy to multiple environments and if multiple environments run DAST scans, the results will be a combination of all environments - which is not helpful. ### Intended users * [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#delaney-development-team-lead) * [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst) * [Simone (Software Engineer in Test)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#simone-software-engineer-in-test) ### User experience goal <!--What is the single user experience workflow this problem addresses? For example, "The user should be able to use the UI/API/.gitlab-ci.yml with GitLab to <perform a specific task>" https://about.gitlab.com/handbook/engineering/ux/ux-research-training/user-story-mapping/--> We ought to support namespaces for Artifact Reports ### Proposal <!--How are we going to solve the problem? Try to include the user journey! https://about.gitlab.com/handbook/journeys/#user-journey--> Add a `namespace` designation so that reports when defined can be namespaced. ```yaml sast:app1: variables: CI_PROJECT_DIR: app1/ artifacts: reports: sast: gl-sast-report.json namespace: app1 sast:app2: variables: CI_PROJECT_DIR: app2/ artifacts: reports: sast: gl-sast-report.json namespace: app2 ``` **OR** like how [environment namespaces](https://docs.gitlab.com/ee/ci/environments/#grouping-similar-environments) work: ```yaml sast:app1: variables: CI_PROJECT_DIR: app1/ artifacts: reports: sast/app1: gl-sast-report.json sast:app2: variables: CI_PROJECT_DIR: app2/ artifacts: reports: sast/app2: gl-sast-report.json ``` **OR - leverage CODEOWNERS Sections (thanks @dzalbo) for the idea.** Augmented by "labelling' vulnerability objects with [section names from CODEOWNERS](https://docs.gitlab.com/ee/user/project/codeowners/#organize-code-owners-by-putting-them-into-sections). A lot of customers using monorepos already employ CODEOWNERS as a solution to set up ownership and approval rules based on which component was modified. We could apply the same logic and automatically categorize vulnerabilities (at least SAST and SCA as they can be tracked to specific location within repository). This way there will be no need to set up namespaces in CI and the solution would also work well with incremental SAST scanning ([Incremental SAST scanning (only scan code chang... (#419734)](https://gitlab.com/gitlab-org/gitlab/-/issues/419734 "Incremental SAST scanning (only scan code changed in the MR)")) ### Further details <!--Include use cases, benefits, goals, or any other details that will help us understand the problem better.--> This is vital for to enable support for monorepo architectures. ### Permissions and Security <!--What permissions are required to perform the described actions? Are they consistent with the existing permissions as documented for users, groups, and projects as appropriate? Is the proposed behavior consistent between the UI, API, and other access methods (e.g. email replies)? Consider adding checkboxes and expectations of users with certain levels of membership https://docs.gitlab.com/ee/user/permissions.html * [ ] Add expected impact to members with no access (0) * [ ] Add expected impact to Guest (10) members * [ ] Add expected impact to Reporter (20) members * [ ] Add expected impact to Developer (30) members * [ ] Add expected impact to Maintainer (40) members * [ ] Add expected impact to Owner (50) members--> ### Documentation <!--See the Feature Change Documentation Workflow https://docs.gitlab.com/ee/development/documentation/workflow.html#for-a-product-change * Add all known Documentation Requirements in this section. See https://docs.gitlab.com/ee/development/documentation/feature-change-workflow.html#documentation-requirements * If this feature requires changing permissions, update the permissions document. See https://docs.gitlab.com/ee/user/permissions.html--> ### Availability & Testing <!--This section needs to be retained and filled in during the workflow planning breakdown phase of this feature proposal, if not earlier. What risks does this change pose to our availability? How might it affect the quality of the product? What additional test coverage or changes to tests will be needed? Will it require cross-browser testing? Please list the test areas (unit, integration and end-to-end) that needs to be added or updated to ensure that this feature will work as intended. Please use the list below as guidance. * Unit test changes * Integration test changes * End-to-end test change See the test engineering planning process and reach out to your counterpart Software Engineer in Test for assistance: https://about.gitlab.com/handbook/engineering/quality/test-engineering/#test-planning--> ### Available Tier <!--This section should be used for setting the appropriate tier that this feature will belong to. Pricing can be found here: https://about.gitlab.com/pricing/ * Free * Premium/Silver * Ultimate/Gold--> ### What does success look like, and how can we measure that? <!--Define both the success metrics and acceptance criteria. Note that success metrics indicate the desired business outcomes, while acceptance criteria indicate when the solution is working correctly. If there is no way to measure success, link to an issue that will implement a way to measure this. Create tracking issue using the the Snowplow event tracking template. See https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/issue_templates/Snowplow%20event%20tracking.md--> ### What is the type of buyer? <!--What is the buyer persona for this feature? See https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/buyer-persona/ In which enterprise tier should this feature go? See https://about.gitlab.com/handbook/product/pricing/#four-tiers--> ### Is this a cross-stage feature? <!--Communicate if this change will affect multiple Stage Groups or product areas. We recommend always start with the assumption that a feature request will have an impact into another Group. Loop in the most relevant PM and Product Designer from that Group to provide strategic support to help align the Group's broader plan and vision, as well as to avoid UX and technical debt. https://about.gitlab.com/handbook/product/#cross-stage-features--> ### Links / references <!--Label reminders - you should have one of each of the following labels. Use the following resources to find the appropriate labels: - https://gitlab.com/gitlab-org/gitlab/-/labels - https://about.gitlab.com/handbook/product/categories/features/-->