Security Data in Merge Request Iteration 1: Migrate Existing Experience (#20406) · Epics · GitLab.org

Security Data in Merge Request Iteration 1: Migrate Existing Experience

## Executive Summary / Business Case This epic represents the work to move the 'existing' merge request data into the new tabs based experience in order to unblock the 'code create' team. See parent epic for further details #### Engineering Assessment tbd ### DRIs * PM: @mclausen35 * EM: @ajbiton * ~"group::security insights" * Engineering Owner: @sming-gitlab * Design: @beckalippert * Technical writer: @rlehmann1 ## Scope ### In scope 1. A new security reports tab that shows the complete list of findings like in the [original mockup](https://gitlab.com/gitlab-org/gitlab/-/work_items/462123/designs/MR_-_Reports_tab_-_Security_report.png) 1. The security report should theoretically represent findings in the same way the MR widget does now. (A list of findings with minimal metadata) 2. A list of issues related to license compliance in the license compliance tab on the left hand side 3. A list of issues related to code quality findings in the code quality tab on the left hand side 4. If no scanners ran related to those findings, hide them. ### Out of scope 1. Blocker / Warn Categorizations (this will remain in the gitlab bot) 1. On the reports page, a ['blockers view'](https://gitlab.com/gitlab-org/gitlab/-/issues/462123/designs/MR_-_Reports_tab_-_Violations_-_Default.png) that shows all Code Quality, Security, and License Compliance records which caused the MR to be blocked 1. The indicators that the pipeline must be complete and the security policies must be evaluated is not required to be built by sec insights. 2. Security 'blockers' are represented by vulnerability records that are caught by an MR Block policy. 3. Code Quality and License 'blockers' may require additional work to wire up a connection of 'blockers' based on policy. 4. Show the policy violation count, the criticals, and the highs. 2. On the reports page, a '[warnings view](https://gitlab.com/gitlab-org/gitlab/-/issues/469605/designs/MR_-_Reports_tab_-_Violations_-_Request_review_-_select_reviewer.png)' that shows all security policy records and corresponding vulnerabilities that cause the MR to trigger warnings. These are defined by policy. 2. Supplemental Policy Information 1. On the blockers tab, a[ clickable right pane for policy details](https://gitlab.com/gitlab-org/gitlab/-/issues/462123/designs/MR_-_Reports_tab_-_Violations_-_Policy_details.png), including Summary, Policy Type, Description, Source, and target/source branch. 2. On the blockers tab, [the ability to show configuration errors](https://gitlab.com/gitlab-org/gitlab/-/issues/462123/designs/MR_-_Reports_tab_-_Violations_-_Policy_details_w__error.png) for policy configurations in cases where the policy is not configured correctly in the same right pane as above. 1. For example, if a policy requires multiple approvers but only one is available in the system, a configuration error will be demonstrated 2. There are other errors that Security Policies can enumerate, they are surfaced as policy-bot error comments. 3. Workflows 1. On the blockers tab, a [clickable right pane for vulnerability details](https://gitlab.com/gitlab-org/gitlab/-/issues/462123/designs/MR_-_Reports_tab_-_Violations_-_Finding_details.png) 2. Support [workflows in the vulnerability details ](https://gitlab.com/gitlab-org/gitlab/-/issues/462123/designs/MR_-_Reports_tab_-_Violations_-_Finding_details_-_Overflow_menu.png)right pane 1. Resolve with AI 2. Create an issue 3. Dismiss vulnerability 4. Confirm vulnerability 3. Ensure the potential FP icons and metadata and flows documented in this epic are available in the tab as well: https://gitlab.com/groups/gitlab-org/-/epics/18977 * In the right pane for vulnerability details, [the ability to hover over the policy in the vuln details page to see the 'policy summary'](https://gitlab.com/gitlab-org/gitlab/-/issues/462123/designs/MR_-_Reports_tab_-_Violations_-_Finding_details_-_Policy_popover.png) * The indicators that the pipeline must be complete and the security policies must be evaluated is not required to be built by sec insights. * Code quality results do not support the concept of 'blockers' today ## Designs <table> <tr> <th>Design</th> <th>Notes</th> </tr> <tr> <td> ![image.png](/uploads/546c3835f54b95d818d92a035a225957/image.png){width=431 height=600} </td> <td> * Add Reports tab * In the "Merge blocked" widget, if blocking sec findings exist, add a link to the Security Bot message (under Activity) * No changes to existing widgets </td> </tr> <tr> <td> ![image.png](/uploads/27a7912ee59533cd9766b81f2ffd723f/image.png){width="1255" height="890"} </td> <td> Reports tab: Separate sections for Security findings, License Compliance, and Code Quality, if findings exist. Hide if no findings. Does not yet include the `Blockers` section </td> </tr> </table> ## Dependencies * None known ## Functional Requirements ### Page Level Support * [ ] Project * [ ] Group * [ ] Pipeline \> Security (findings) * [ ] MR Security Widget (findings) * [ ] Security Center * [ ] Security Dashboard ### Workflow * [ ] Requires an additional filter on the Vulnerability Report ([docs](https://docs.gitlab.com/development/internal_analytics/internal_event_instrumentation/quick_start/)) * [ ] Requires an addition to the Vulnerability Report export ([docs](https://docs.gitlab.com/user/application_security/vulnerability_report/#exporting)) * [ ] Requires an additional filter on the Dependency List ([docs](https://docs.gitlab.com/user/application_security/dependency_list/)) * [ ] Requires an addition to the Dependency List export ([docs](https://docs.gitlab.com/user/application_security/dependency_list/#export)) * [x] Requires ~documentation ## Non-Functional Requirements ### Product Usage * [x] Requires new instrumentation ([docs](https://docs.gitlab.com/development/internal_analytics/internal_event_instrumentation/quick_start/)) - access to the merge request security tab is required. ### Feature Flag Usage * [ ] This feature should be released behind a feature flag? ([docs](https://handbook.gitlab.com/handbook/product-development/product-development-flow/feature-flag-lifecycle/#when-to-use-feature-flags)) ### Testing * [ ] Requires new E2E test coverage ([docs](https://docs.gitlab.com/development/testing_guide/end_to_end/)) * [ ] Requires extended manual / UAT phase * [ ] Performance testing needed ([testing](https://docs.gitlab.com/ci/testing/load_performance_testing/)) ## Implementation Notes ```glql display: table fields: title, status, milestone, assignees sort: milestone asc query: epic = &20406 and type = Issue ``` ## Phase This epic will be implemented in phases sequentially: 1. https://gitlab.com/groups/gitlab-org/-/work_items/20555+ 2. https://gitlab.com/groups/gitlab-org/-/work_items/20553+ 3. https://gitlab.com/groups/gitlab-org/-/work_items/20554+ ## Outstanding Questions | Question | Answer | Assignee | Priority | Blocking? | |----------|--------|----------|----------|-----------| | | | | | | ## Resources 1. [Epic Board](Milestone) showing issues across workflow stages. 2. Documentation links 3. Prior work/projects

epic