Plan and refine: Notify user in merge request when security scans have not been performed [parent issue]
Problem to solve
Context: when a user configures security scan(s) to the default branch, all subsequently created feature branches will perform the scan. However, feature branches created before configuration to the default branch will not include the scan. Today it's possible to merge an MR even if the target branch has security scans but the source branch has no similar security scans.
Problem: vulnerabilities may be introduced to the default branch without any scans (even if the default branch is configured to perform scans).
Intended users
Further details
....
Proposal
Provide awareness in the merge request UI to user about the following issue:
When a source branch, that doesn’t have scans configured, is targeting the default branch that does have scans.
Additionally, the UI provides instructions to remediate the problem: which is to rebase the source branch on top of the target branch. The rebase will 1) put all changes to the head
of the default branch, 2) pipeline runs, 3) security reports provided.
Message copy:
This merge request does not include all the security scans configured in its target branch. Please rebase to have the security scans aligned with the target branch, so that the vulnerabilities can be compared.
Permissions and Security
All members see this UI
Documentation
...
Availability & Testing
...
What does success look like, and how can we measure that?
- When a developer is in MR (with notification and rebase suggestion), do they notice the message?
- Does the user understand the message and related issue in MR?
- Does the user know how to remediate the problem?
- Does the user act on the problem?
What is the type of buyer?
Links / references
Discovery issue: #34773 (closed)
Implementation plan
- backend #224170 (closed) (weight 3)
- frontend Included in #12896 (closed)
- documentation #224172 (closed)
Conclusion
UX is covered in #12896 (closed) and backend #224170 (closed).