Aggregate security vulnerabilites in one single report
Problem to solve
We have different security reports available (SAST, Dependency Scanning, Container Scanning, DAST), and we actually show them independently (even if aggregated in the same panel/view).
But does people really care so much which is the kind of test that revealed the vulnerability? Maybe developers are more interested in it, but security folks probably just want to take actions to ensure the problem will not affect production. So, this proposal may affect just the Security Dashboard and not the "developer" reports).
This makes even more sense in the direction of sorting vulnerabilities by impact. The information related to the "category" could still be present, but in a secondary position and not as a primary grouping criteria.
As a security team member, I want to check which are the most critical vulnerabilities that are affecting my production environment, and start a resolution process from there. I want to have a single ordered list that can be easily worked in a sequential way.
Create a single report that contains vulnerabilities from different security features. Sort this report by severity.
What does success look like, and how can we measure that?
Security people will use this single report to take actions on security vulnerabilities. We could get metrics on dismissals/opened issues to see which is the view used.