Add "Scan overview per project" to Group-level dashboard side-widgets
Problem to solve
Context: In #13298 (closed), this displays 1) projects that are not configured for security testing and 2) projects configured for test, and 3) if testing: when the last tests ran (5, 15, 30, or 60 or more days ago).
Projects reporting as Untested
are: no security tools at all have been configured. Considered Testing
: if 1 or more security tools (SAST, DAST, container scanning, and dependency scanning) have been configured then the project would be considered tested.
Problem: Only 1 (of 4) or more scan job will show as tested, but the UI does not specify what scans are enabled. The user will need to go to the project directly to identify the scan type.
As the person responsible for orgs security, I want to be able to see what projects are or are not being tested, so I can identify projects that may be vulnerable/untested.
User saying "As a security feature user, I can see that my project is out of day or not test, but I would like to know which scan in which project is running, and maybe there are new scans that I could set up as well in a quick overview. "
Intended users
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sam (Security Analyst)
- Simone (Software Engineer in Test)
- Allison (Application Ops)
Further details
Ongoing efforts to help users accountable for their organization's security to know when/where scans and checks are being performed. This is the follow up of issue: Show on dashboard when security tests are not run or out of date
Proposal
Specify the scan type(s) that is enabled per project.
Status quo | New proposal |
---|---|
![]() |
![]() |
What does success look like, and how can we measure that?
UX success question: Does this helps users accountable for the security understand what scans are being performed where?
Measure: UXR test with active users