Plan and refine: Notify user in merge request when security scans have not been performed [parent issue]

Problem to solve

Context: when a user configures security scan(s) to the default branch, all subsequently created feature branches will perform the scan. However, feature branches created before configuration to the default branch will not include the scan. Today it's possible to merge an MR even if the target branch has security scans but the source branch has no similar security scans.

Problem: vulnerabilities may be introduced to the default branch without any scans (even if the default branch is configured to perform scans).

Intended users

Further details

....

Proposal

Provide awareness in the merge request UI to user about the following issue:

When a source branch, that doesn’t have scans configured, is targeting the default branch that does have scans.

Additionally, the UI provides instructions to remediate the problem: which is to rebase the source branch on top of the target branch. The rebase will 1) put all changes to the head of the default branch, 2) pipeline runs, 3) security reports provided.

Message copy:

This merge request does not include all the security scans configured in its target branch. Please rebase to have the security scans aligned with the target branch, so that the vulnerabilities can be compared.

Permissions and Security

All members see this UI

Documentation

...

Availability & Testing

...

What does success look like, and how can we measure that?

When a developer is in MR (with notification and rebase suggestion), do they notice the message?
Does the user understand the message and related issue in MR?
Does the user know how to remediate the problem?
Does the user act on the problem?

What is the type of buyer?

Links / references

Discovery issue: #34773 (closed)

Implementation plan

Conclusion

UX is covered in #12896 (closed) and backend #224170 (closed).

Edited Sep 10, 2020 by Lindsay Kerr