Discovery, Auto-remediation: auto-merge merge request with fixes

Problem to solve

#36500 (closed) is an MVC for the auto-creation of merge requests that contains fixes to known vulnerabilities. The problem is that the user must individually review the auto-created MRs and merge them. This leaves the user having to 1) proactively find the MRs (burdensome), and 2) then merging one-by-one (time-consuming).

🎥 video walkthrough of current UX, MVC in progress, and context to this discovery: view walkthrough

Further context and details

• This is a follow-up discovery issue to the auto-remediation discovery #14059 (closed). In that discovery we focused on a path forward broadly and an MVC for auto-creation of merge requests with known solutions (#14059 (closed)).
• There is UX research ux-research#530 (closed) underway looking at the MVC and to inform this discovery, which is focused on auto-merging auto-created merge requests.
• Current auto-remediation capabilities will affect projects that are using dependency scanning and using yarn. As we evolve the UX for auto-remediation our objective is for a 1) generic auto-remediation UX that handles multiple capabilities (consistent UX across different capabilities) and 2) getting closer to out-of-box UX (meaning it works without configuration). Example of upcoming capability is #35433 (closed) (based on #9384 (closed)).
• Findability of auto-created MRs, based on #36500 (closed): user could identify an auto-created MR on the security dashboard, filter the MR list by GitLab-autofix-vulnerabilities, or see notification of MR banner on dashboard.

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Devon (DevOps Engineer)
• Sam (Security Analyst)

Proposal

Iterating on our MVC, Let’s explore and focus on how we can auto-merge the auto-created merge request. We also want to review the following:

• Filtering by auto-fix section: instead of relying on a label
• Re-evaluate auto-created MR author alternatives such as a ghost user or bot
• Getting closer to out-of-box UX, that is the feature is on by default
• User feedback from ux-research#530 (closed) study

What does success look like?

The team produces next steps that include:

• Improvements to the current MVC
• auto-merge auto-created MR MVC implementation plan/issue
• Identify our hypothesis/questions and test for validity/clarification #36503 (closed)

What is the type of buyer?

~Ultimate

Links / references

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.