Security Dashboard Upgrade - Security Attribute Filters
## TL;DR
Add security attribute filters to security dashboard
## Overview
Security teams cannot filter the Security Dashboard by security attributes (the key-value pairs configured in Business Context). This epic adds that filtering on top of the existing Report type and Project filters. Security attributes and their categories can be configured by the user, so filtering is dynamic.
This epic thus handles adding filtering for security attributes (grouped in their categories) on top of the current page-level Report type and Project filtering.
**_Note:_**_ The Application, Business Unit, and Exposure level categories start off with no attributes. In that case, they also don't appear when querying for security categories and attributes._
This feature should be released behind a feature flag
## Business Value
Security teams need to filter vulnerabilities by business context—questions like "show me criticals in public-facing apps" can't be answered today. This filtering will help security managers triage incidents faster, compliance teams pull scoped reports, and engineering leads focus on their domain.
## Success Criteria
- [ ] Users can filter vulnerabilities by all security attribute categories
- [ ] The security attribute filtering works alongside the existing filtering in
## Scope
### In Scope
- Security attribute filter controls on Group-level
### Out of Scope
- Security attribute filter controls on Project-level
## Timeline & Milestones
**Start Date**: YYYY-MM-DD
**Target Date**: %"18.10" (refinement in %"18.9")
**Status**: \[On Track / Needs Attention / At Risk\]
### Key Milestones
- [ ] Milestone 1 - Target: YYYY-MM-DD
- [ ] Milestone 2 - Target: YYYY-MM-DD
## Dependencies & Blockers
_Blocked by:_
- https://gitlab.com/groups/gitlab-org/-/work_items/18010 - security attributes must be definable and assignable to projects
- SecInfra (sync data to ES, likely) - TBD
## Deliverables
All deliverables should be listed directly under this section. Use milestones and labels (e.g. \~"Phase 1", \~"Phase 2") to group work and track progress clearly across the epic.
## Decision Log
Track key decisions to avoid rehashing discussions
| Date | Decision | Rationale | Owner |
|------|----------|-----------|-------|
| | | | |
## Open Questions
- Do we need to restrict project filter when using security attributes and vice versa?
- Can we use resolver on `securityMetrics` to map from security attributes to project IDs, or does each chart's resolver need this?
## Resources
* https://gitlab.com/groups/gitlab-org/-/epics/18010+s
* [Documentation - Security Atrributes](https://docs.gitlab.com/user/application_security/attributes/)
* Design:
{width="1000px"}
epic