## Release Notes Description of feature to be used in the ~"release post item" ([docs](https://handbook.gitlab.com/handbook/marketing/blog/release-posts/#release-post-item-instructions)) ## Problem to Solve As application security, I want to know if the secrets findings in my vulnerability report are actually exposing me to real risk. If the credential is no longer active, then the risk doesn't exist. If it is active, I know I need to focus my efforts there. When secret scanning reveals exposed credentials such as passwords or API keys, the security team's immediate priority is to assess the token's status and permissions. This evaluation helps determine both if the credential remains active and what systems or data it could potentially access. Today, we leave it to users to triage the findings and identify whether the finding is valid or not. This can add up to a lot of work identifying fake or canned credentials. When we do a historical scan, we might even end up notifying users of credentials that had already been discovered and revoked long ago (assuming they hadn't already addressed the finding within the security dashboard). The validity status enables teams to make risk-based prioritization decisions. ~"group::secret detection" prerequisite project https://gitlab.com/groups/gitlab-org/-/epics/13988+ ## In Scope 1. Filter vulnerabilities by Validity Status 1. Addition of new top level filter on the vulnerability report 2. Available behind a feature flag and when `accessAdvancedVulnerabilityManagement` feature ability flag is enabled. 3. Group and Project vulnerability report pages 2. Implement the token refresh UI button on the Vulnerability page as well as the MR security widget, as per these designs: gitlab#520928<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/520928"> (closed)</a>. 1. Note that secret detection already has issues for adding the button to both places: <a href="https://gitlab.com/gitlab-org/gitlab/-/issues/534430">Vulnerability finding page</a>, <a href="https://gitlab.com/gitlab-org/gitlab/-/issues/534431">MR security modal</a> ## Out of Scope 1. Add the 'token status' to the page, so users can see the information in the first place. 1. This is being done by ~"group::secret detection" though https://gitlab.com/groups/gitlab-org/-/epics/17657+ as part of the Beta scope. ### Self-managed Support New filters leverage https://gitlab.com/groups/gitlab-org/-/epics/13510+. Elasticsearch is available across SaaS/gitlab.com and Dedicated. Self-managed instances have several considerations (technical and licensing). There is no timeline for self-managed support. SSOT issue is https://gitlab.com/gitlab-org/gitlab/-/issues/525484+ ## Designs https://gitlab.com/gitlab-org/gitlab/-/issues/479341/designs/Validity_check_filter.png \[Design image attachment\] ## Dependencies * Dependency of: ~"group::secret detection" https://gitlab.com/groups/gitlab-org/-/epics/16890+ * Dependency on https://gitlab.com/gitlab-org/gitlab/-/issues/541470+ for Elasticsearch finder training * :white_check_mark: Dependency on: ~"group::security infrastructure" https://gitlab.com/groups/gitlab-org/-/epics/17857+ ## Functional Requirements ### Page Level Support * [x] Project vulnerability report * [x] Group vulnerability report * [ ] Pipeline \> Security (findings) * [ ] MR Security Widget (findings) * [ ] Security Center * [ ] Security Dashboard ### Workflow * [x] Requires an additional filter on the Vulnerability Report ([docs](https://docs.gitlab.com/development/internal_analytics/internal_event_instrumentation/quick_start/)) * [ ] Requires an addition to the Vulnerability Report export ([docs](https://docs.gitlab.com/user/application_security/vulnerability_report/#exporting)) * [ ] Requires an additional filter on the Dependency List ([docs](https://docs.gitlab.com/user/application_security/dependency_list/)) * [ ] Requires an addition to the Dependency List export ([docs](https://docs.gitlab.com/user/application_security/dependency_list/#export)) * [x] Requires ~documentation ## Non-Functional Requirements ### Product Usage * [ ] Requires new instrumentation ([docs](https://docs.gitlab.com/development/internal_analytics/internal_event_instrumentation/quick_start/)) ### Feature Flag Usage * [x] This feature should be released behind a feature flag? ([docs](https://handbook.gitlab.com/handbook/product-development/product-development-flow/feature-flag-lifecycle/#when-to-use-feature-flags)) * [ ] Additionally behind `accessAdvancedVulnerabilityManagement` ability flag check ### Testing * [ ] Requires new E2E test coverage ([docs](https://docs.gitlab.com/development/testing_guide/end_to_end/)) * [ ] Requires extended manual / UAT phase * [ ] Performance testing needed ([testing](https://docs.gitlab.com/ci/testing/load_performance_testing/)) ## Outstanding Questions <table> <tr> <th>Question</th> <th>Assignee</th> <th>Priority</th> <th>Blocking?</th> </tr> <tr> <th></th> <th></th> <th></th> <td></td> </tr> <tr> <th></th> <th></th> <th></th> <td></td> </tr> </table> ## Resources 1. [Planning commit slide](https://docs.google.com/presentation/d/1ABoGLJkQZNs3Y92NELNrRvjsbo_PNEjGMyCRVz2sU2A/edit?slide=id.g349464dc755_52_0#slide=id.g349464dc755_52_0) 2. [Epic Board](Milestone) showing issues across workflow stages. 3. Documentation links 1. https://gitlab.com/gitlab-org/gitlab/-/issues/541470+ 4. Prior work/projects 1. https://gitlab.com/groups/gitlab-org/-/epics/17251+ - 18.2 2. https://gitlab.com/groups/gitlab-org/-/epics/18012+ - 18.3 ## Planning Breakdown / Implementation Plan | Type | Description | Issue | BE/FE | Dependency | Milestone | |------|-------------|-------|-------|------------|-----------| | Training | Training on adding a new finding via Elasticsearch | https://gitlab.com/gitlab-org/gitlab/-/issues/541470+ | | ~"group::security infrastructure" | 18.3 | | ~"type::feature" | Elasticsearch finder | Link | ~backend | | 18.3 | | | GraphQL | | ~backend | | 18.3 | | ~"type::feature" | Support tooltip for validity-check | https://gitlab.com/gitlab-org/gitlab/-/issues/557869+ | ~frontend | | 18.3 | | ~"type::feature" | Add validity check filter token (UI only) | https://gitlab.com/gitlab-org/gitlab/-/issues/557870+ | ~frontend | | 18.3 | | ~"type::feature" | GraphQL integration for validity check | https://gitlab.com/gitlab-org/gitlab/-/issues/557871+ | ~frontend | Requires BE GraphQL query | 18.4 | | ~"type::feature" | Add v2 version of validity-check | https://gitlab.com/gitlab-org/gitlab/-/issues/557872+ | ~frontend | | 18.4 | | ~"type::feature" | Add documentation | https://gitlab.com/gitlab-org/gitlab/-/issues/557884+ | ~"Technical Writing" | | 18.4 |