Add PDF export of security reports
## Release Notes Project and Group Security Dashboards can now be exported as a PDF format. ## Problem to Solve This proposal is to add an exportable pdf format for security results in addition to the CSV report available. Some customers have business requirements to share security findings and reports with their clients and internally, with their executive teams and leadership. In the past, customers had the ability to export DAST_HTML_REPORT in 15.7 ( https://gitlab.com/gitlab-org/gitlab/-/issues/384340) and send to customers. However, this has since been removed and the only export available now is a CSV format. This is causes a big pain for organization because the CSV export is not a feasible format to share externally with their clients. Now, without the HTML reports, customers are either forced to build an internal tool make the CSV export and client appropriate or look for another security tool that offers a PDF sharable report. **PDF reporting export is a basic requirement for every security solution -** It is not only for the sake of internal reporting, but in many cases, it is the only way to enable the security team to _sell_ their work and the product internally and show progress to the executive team. For MVC my quick view would be to have, in addition to the CSV report, an aggregated PDF report which will include the Security _Dashboard details_ and a list of the vulnerabilities from the vulnerability report (either with existing enabled filters or without). ### **High-level requirements** The AppSec engineer should be able to generate a PDF report that includes the existing risk assessment of the scoped environment and the list of vulnerabilities. The goal of this report is to allow the AppSec team to hand this report to upper management to show the current status and trends with the security posture of the scoped projects/groups/orgs. ## In Scope 1. Generates a GitLab branded report containing existing UI and data found on Project and Group Security Dashboards 1. Project 1. Vulnerabilities over time chart 2. Group 1. Vulnerabilities over time chart 2. Project Security Status (letter grades) 2. The export will represent the current state of the page. For example, the user must first expand the "F" grade widget if they would like that to be displayed in the PDF. 3. Report should be sent via email as a downloadable link which is kept for 7 days. This will allow avoiding customer from waiting on the page https://gitlab.com/gitlab-org/gitlab/-/issues/425327#note_2264825358. 4. Instrumentation should be added to log when PDFs are generated. 5. An email should be sent if the PDF Report fails to be generated. 6. New scope: PDF should show the Project or Group name in the header. https://gitlab.com/gitlab-org/gitlab/-/issues/553280 ## Out of Scope 1. The PDF will not be interactive. Chart controls, hover, etc. available in the web UI will not function in the PDF. ## Designs https://gitlab.com/gitlab-org/gitlab/-/issues/425327+ \[Design image attachment\] ## Dependencies * Dependency of: \[\~group::\] \[link to dependency project\] * Dependency on: \[\~group::\] \[link to dependency project\] ## Functional Requirements ### Page Level Support * [x] Project * [x] Group * [ ] Pipeline \> Security (findings) * [ ] MR Security Widget (findings) * [ ] Security Center * [x] Security Dashboard ### Workflow * [ ] Requires an additional filter on the Vulnerability Report ([docs](https://docs.gitlab.com/development/internal_analytics/internal_event_instrumentation/quick_start/)) * [ ] Requires an addition to the Vulnerability Report export ([docs](https://docs.gitlab.com/user/application_security/vulnerability_report/#exporting)) * [ ] Requires an additional filter on the Dependency List ([docs](https://docs.gitlab.com/user/application_security/dependency_list/)) * [ ] Requires an addition to the Dependency List export ([docs](https://docs.gitlab.com/user/application_security/dependency_list/#export)) * [x] Requires ~documentation ## Non-Functional Requirements ### Product Usage * [x] Requires new instrumentation ([docs](https://docs.gitlab.com/development/internal_analytics/internal_event_instrumentation/quick_start/)) ### Feature Flag Usage * [x] This feature should be released behind a feature flag? ([docs](https://handbook.gitlab.com/handbook/product-development/product-development-flow/feature-flag-lifecycle/#when-to-use-feature-flags)) ### Testing * [ ] Requires new E2E test coverage ([docs](https://docs.gitlab.com/development/testing_guide/end_to_end/)) * [ ] Requires extended manual / UAT phase * [x] Performance testing needed ([testing](https://docs.gitlab.com/ci/testing/load_performance_testing/)) ## Outstanding Questions | Question | Asked by | Assignee | Priority | Blocking | Answer | |----------|----------|----------|----------|----------|--------| | How should Group: Project Security Status (letter grades) be rendered? Currently you may expand only one letter group at a time. Should "F" be expanded? | | @beckalippert @mclausen35 | | Yes | Decision: The PDF generated will match what is currently displayed on the page. | | Should the PDF be paged or pageless? | @beckalippert | @wandering_person | | No | | | How should a failed to load component look? | @beckalippert | @wandering_person | Medium | No | | ## Resources 1. [Epic Board](Milestone) showing issues across workflow stages. 2. Documentation links 3. Prior work/projects 4. Figma: https://www.figma.com/design/yn9sq76JCtDnPUfCR6UYCl/Secure-section--Becka?node-id=10156-94947&t=xYGMcHeKlA0I5PKv-1 . 5. Requesting customers 1. https://gitlab.my.salesforce.com/0016100001ABpAcAAL (internal only) 2. gitlab#267581+ (Additional customers in this issue) 3. gitlab#352075+ (Additional customers in this issue)\] ## ## Planning Breakdown / Implementation Plan Important Dates: - %"18.1" = Release: 2025-06-19 | Code Cut off: **2025-06-13** - %"18.2" = Release: 2025-07-17 | Code Cut off: **2025-07-11** <table> <tr> <th>Type</th> <th>Task</th> <th>Issue</th> <th>Team</th> <th>Milestone</th> </tr> <tr> <td> ~"type::feature" </td> <td>Implement UI-only PDF export in Project Security Dashboard</td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/545959+s </td> <td> ~frontend </td> <td> %"18.1" </td> </tr> <tr> <td> ~"type::feature" </td> <td>Implement UI-only PDF export in Group Security Dashboard</td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/546018+s </td> <td> ~frontend </td> <td> %"18.1" </td> </tr> <tr> <td> ~"type::feature" </td> <td>Implement API integration for Project Security Dashboard</td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/545958+s </td> <td> ~frontend </td> <td> %"18.1" </td> </tr> <tr> <td> ~"type::feature" </td> <td> Store report data provided by the ~frontend on the `vulnerability_export` to be used in the export worker </td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/546360+s </td> <td> ~database </td> <td> %"18.1" </td> </tr> <tr> <td> ~"type::feature" </td> <td> Update the `vulnerability_export` API to begin consuming report data from the frontend. </td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/524058+s </td> <td> ~backend </td> <td> %"18.1" </td> </tr> <tr> <td> ~"type::feature" </td> <td>Render the existing "vulnerabilities over time" component in the project level PDF</td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/524056+s </td> <td> ~backend </td> <td> %"18.1" </td> </tr> <tr> <td> ~"type::feature" </td> <td>Render the existing "vulnerabilities over time" component in the group level PDF</td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/524057+s </td> <td> ~backend </td> <td> %"18.1" </td> </tr> <tr> <td> ~"type::feature" </td> <td>Render the existing "project grades" component in the PDF</td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/538851+s </td> <td> ~backend </td> <td> %"18.1" </td> </tr> <tr> <td> ~"type::feature" </td> <td>Implement API integration for "vulnerabilities" in the Group Security Dashboard</td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/546165+s </td> <td> ~frontend </td> <td> %"18.2" </td> </tr> <tr> <td> ~"type::feature" </td> <td>Implement API integration for "security" in the Group Security Dashboard</td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/546166+s </td> <td> ~frontend </td> <td> %"18.2" </td> </tr> <tr> <td> ~"type::feature" </td> <td>Implement limit number of requests for the Project Security Dashboard</td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/546167+s </td> <td> ~frontend </td> <td> %"18.2" </td> </tr> <tr> <td> ~"type::feature" </td> <td>Implement limit number of requests for the Group Security Dashboard</td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/546168+s </td> <td> ~frontend </td> <td> %"18.2" </td> </tr> <tr> <td> ~"type::feature" </td> <td>Create documentation for PDF export</td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/546218+s </td> <td> ~documentation </td> <td> %"18.2" </td> </tr> <tr> <td> ~"type::feature" </td> <td>Failure email and error logging</td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/550030+ </td> <td> ~backend </td> <td></td> </tr> <tr> <td> ~instrumentation </td> <td>Instrumentation</td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/547599+ </td> <td> ~instrumentation </td> <td></td> </tr> <tr> <td> ~instrumentation </td> <td>Track the file size of the generated pdfs</td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/547599+s </td> <td> ~instrumentation ~backend </td> <td> %"18.2" </td> </tr> <tr> <td> ~"type::feature" </td> <td>Feature Flag Roll out</td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/546219+s </td> <td> ~backend ~frontend </td> <td>18.2 / 2025-07-11</td> </tr> <tr> <td> ~"type::maintenance" </td> <td>Feature Flag Clean up</td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/546220+s </td> <td> ~backend ~frontend </td> <td></td> </tr> <tr> <td>Verification</td> <td>Self-managed testing</td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/546416+s </td> <td></td> <td></td> </tr> </table> ## **Post MVC Requirements (Second Iteration release)** * Introduce two options for the report, once clicking on it * All vulnerabilities * Filtered view - only vulns under the current view (MVC) * Provide a detailed report with description of each vulnerability - limit is 100 vulnerabilities. If the filtered view includes more, ask the user to add another filter. Other considerations: * Asked `@khornergit` (PM, Compliance) if there would be a need to export ALL vulnerabilities in the report, because for MVC we're not including deleted or archived vulns. His response: > Thanks for the tag here `@beckalippert` . I agree that the export of all vulns will depend on the context: > * If it is a data dump for auditors for the purpose of a regular audit, then yes they will probably want all vulnerabilities. When chatting with auditors or with users that experience an audit, most stress the need to be able to access all the data as they want to be able to sift through the data themselves to determine if the company has met the audit, or to ask additional questions; > * If it is an export for compliance managers, for one reason or another, I believe that an export of just the 'Critical' and 'High' vulnerabilities might make sense, as that would be more aligned with Vulnerabilities that may show non-compliance to a certain standard, framework or internal policy. > > Will leave it up to you and Dean to see what's required but the above is just my two cents :smile: * As of Jan 2025, Dean was going to follow-up with Ian about this directly, but I wanted to make note of it because the conversation took place in a now-archived design thread. ## Resources 1. [Project sync agenda doc](https://docs.google.com/document/d/1SN96hAvS0rGJNo-NTC46zhH2QytYyyJ_ZozPMt-tCl0/edit?tab=t.0) <!--triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION--> > [!important] > > This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc. <!--triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION-->
epic