Suggested Solution (was Auto-remediation): user awareness when solutions are available in dashboards

Problem to solve

The security dashboard (group and project level) security reports do not explicitly display or inform users when solutions are available to newly detected vulnerabilities. The user would need to sort through and select individual vulnerabilities to discover that a patch is available.

Further details

Additional context: in the upcoming auto-remediation MVC, if the feature is activated (it will create MRs automatically with solutions when available), then a banner will be displayed notifying user and linking to MRs with solutions (project level dashboard). There are two cases this issue aims to look at: 1) if auto-remediation feature is not turned on, but dependency scanning is configured, 2) surfacing when container scanning vulns-solutions are available (then create MR with solutions).

For dependency scanning vulns with solutions work better to create individual MRs vs. container scanning, where a consolidated MR would be easier for the user.

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Devon (DevOps Engineer)
• Sam (Security Analyst)

Proposal

Display on vulnerability list when solutions are available. Allow users to create a merge request with the fixes.

Make user aware the setting (Only show once)	Show it in the list

Permissions and Security

Any user can create MR with solution

Documentation

...

Availability & Testing

...

What does success look like, and how can we measure that?

• Does the user know solutions are available upon landing on the dashboard page?
• Can the user create merge request with available solutions

What is the type of buyer?

Links / references

...

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.