[Experiment] - Vulnerability Resolution
### Release notes
In GitLab, you can see a report of vulnerabilities on their default branch. More often it isn't immediately clear how to resolve the vulnerability. With this release you can click a button on a specific SAST vulnerability that opens a merge request with a suggestion as to how to resolve the vulnerability.
### Problem to solve
- Vulnerability remediation can be complex and may not be a simple code change. Where does one start? How can a user work efficiently across departments to get a critical vulnerability fixed.
- It is important to make the suggestion as accurate as possible. To do this will require security remediation knowledge and an understanding of the specific code base. Today tokens are limited and we are unable to provide the entire file and/or code base to the prompt without hitting the token limit. We need to figure out a way to provide the LLM with enough context for the code suggestion to that fixes the vulnerability to be accurate.
### Intended users
This features could be used by any of the following personas. Anyone can start a conversation with an MR to make steps to resolve a vulnerability.
* [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/product/personas/#delaney-development-team-lead)
* [Sasha (Software Developer)](https://about.gitlab.com/handbook/product/personas/#sasha-software-developer)
* [Priyanka (Platform Engineer)](https://about.gitlab.com/handbook/product/personas/#priyanka-platform-engineer)
* [Sidney (Systems Administrator)](https://about.gitlab.com/handbook/product/personas/#sidney-systems-administrator)
* [Simone (Software Engineer in Test)](https://about.gitlab.com/handbook/product/personas/#simone-software-engineer-in-test)
* [Allison (Application Ops)](https://about.gitlab.com/handbook/product/personas/#allison-application-ops)
* [Ingrid (Infrastructure Operator)](https://about.gitlab.com/handbook/product/personas/#ingrid-infrastructure-operator)
* [Amy (Application Security Engineer)](https://about.gitlab.com/handbook/product/personas/#amy-application-security-engineer)
* [Isaac (Infrastructure Engineer)](https://about.gitlab.com/handbook/product/personas/#isaac-infrastructure-security-engineer)
* [Alex (Security Operations Engineer)](https://about.gitlab.com/handbook/product/personas/#alex-security-operations-engineer)
* [Cameron (Compliance Manager)](https://about.gitlab.com/handbook/product/personas/#cameron-compliance-manager)
### Proposal
Within the drawer for `Explain this Vulnerability` a user can click a button to resolve a vulnerability with a merge request.
* The merge request is opened by the user
* The description in the merge request cautions users that this MR was generated by AI and needs to be reviewed with extra scrutiny
### [Criteria for releasing an Experiment](https://internal-handbook.gitlab.io/handbook/product/ai-strategy/ai-integration-effort/prioritization/#criteria-for-releasing-an-experiment)
* [x] You have received explicit approval from your stage leader and Hillary Benson or David DeSanto to proceed with building your AI feature.
* [x] The epic for the prototype has the ~prototype::experiment label applied
* [ ] [General requirements for Experiments](https://docs.gitlab.com/ee/policy/alpha-beta-support.html#experiment) are met.
* [ ] [UX requirements for Experiments](https://internal-handbook.gitlab.io/handbook/product/ai-strategy/ai-integration-effort/ux_maturity/) of AI-assisted features are met.
* [x] [AI model guidance ](https://internal-handbook.gitlab.io/handbook/product/ai-strategy/ai-integration-effort/ai_model_guidance/)is followed.
* [x] Feature is gated by a [pre-GA namespace toggle](https://docs.gitlab.com/ee/user/group/manage.html#group-experiment-features-setting) and the [third-party services toggle](https://docs.gitlab.com/ee/user/group/manage.html#group-third-party-ai-features-setting).
* [ ] UI for the feature has been approved by Legal.
* [ ] Feature’s documentation explicitly names the third-party AI service provider and model powering the feature (e.g. Google PaLM text-bison-001).
* [ ] [Requirements from Infrastructure](https://about.gitlab.com/handbook/engineering/infrastructure/feature-support.html) for supporting this level of feature are met.
Note: The requirements for an experimental feature were captured on June 13th, please confirm with the header link for this section at a later date to confirm these are still the requirements AND expand on the requirements that are hyperlinked above.
### Permissions and Security
### Documentation
* [ ] Documentation must include what information is being sent to AI.
* [ ] This feature will be documented on the [AI/ML powered features](https://docs.gitlab.com/ee/user/ai_features.html) page.
* [ ] This feature will also be documented on the [Vulnerability Page](https://docs.gitlab.com/ee/user/application_security/vulnerabilities/#resolve-a-vulnerability) since this experimental AI features enhances an existing feature.
* [ ] Explicitly name the third-party AI service provider and model powering the feature
### Availability & Testing
### Available Tier
~"GitLab Ultimate"
### Feature Usage Metrics
### What does success look like, and how can we measure that?
### Is this a cross-stage feature?
Yes, this feature will create an MR. This is a cross-stage feature with ~"devops::create".
### What is the competitive advantage or differentiation for this feature?
Snyk has a similar feature; [AI-generated security fixes in Snyk Code](https://snyk.io/blog/ai-generated-security-fixes-in-snyk-code-now-available/)
_This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc._
<!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->
*This page may contain information related to upcoming products, features and functionality.
It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes.
Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.*
<!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->
epic