### Intended users * [Sasha (Software Developer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sasha-software-developer) * [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst) ## Overview GitLab Enterprise Edition includes [Container Scanning](https://docs.gitlab.com/ee/user/application_security/container_scanning/). We are will move it to Core to fulfill [our stewardship promise](https://about.gitlab.com/company/stewardship/#promises). ## Proposal Move GitLab's Container Scanning capability to the Free tier per the table below. Note that the bottom six capabilities should remain in ~"GitLab Ultimate" only |Capability| In Free | In Ultimate | | --- | ------ | ------ | | [Configure Scanners](https://docs.gitlab.com/ee/user/application_security/container_scanning/#configuration) | **Yes** | Yes | | Customize Settings ([Variables](https://docs.gitlab.com/ee/user/application_security/container_scanning/#available-variables), [Overriding](https://docs.gitlab.com/ee/user/application_security/container_scanning/#overriding-the-container-scanning-template), [offline environment support](https://docs.gitlab.com/ee/user/application_security/container_scanning/#running-container-scanning-in-an-offline-environment), etc) | **Yes** | Yes | | [View JSON Report](https://docs.gitlab.com/ee/user/application_security/container_scanning/#reports-json-format) as a CI job artifact | **Yes** | Yes | | Generation of a JSON report of [dependencies](https://docs.gitlab.com/ee/user/application_security/container_scanning/#dependency-list) as a CI job artifact | **Yes** | Yes | | Ability to enable container scanning via an MR in the GitLab UI | **Yes** | Yes | | [UBI Image Support](https://docs.gitlab.com/ee/user/application_security/container_scanning/#ubi-based-images) | **Yes** | Yes | | Support for Trivy | **Yes** | Yes | | Support for Grype | **Yes** | Yes | | Inclusion of GitLab Advisory Database | Limited to the time-delayed content from GitLab's [advisories-communities](https://gitlab.com/gitlab-org/advisories-community/) project (once [this feature](https://gitlab.com/groups/gitlab-org/-/epics/7395) is completed) | Yes - all the latest content from [Gemnasium DB](https://gitlab.com/gitlab-org/security-products/gemnasium-db) (once [this feature](https://gitlab.com/groups/gitlab-org/-/epics/7395) is completed) | | Presentation of Report data in Merge Request and Security tab of the CI pipeline job | No | Yes | | [Interaction with Vulnerabilities](https://docs.gitlab.com/ee/user/application_security/container_scanning/#interacting-with-the-vulnerabilities) such as merge request approvals | No | Yes | | [Solutions for vulnerabilities (auto-remediation)](https://docs.gitlab.com/ee/user/application_security/container_scanning/#solutions-for-vulnerabilities-auto-remediation) | No | Yes | | Support for the [vulnerability allow list](https://docs.gitlab.com/ee/user/application_security/container_scanning/#vulnerability-allowlisting) | No | Yes | | [Access to Security Dashboard page](https://docs.gitlab.com/ee/user/application_security/container_scanning/#security-dashboard) | No | Yes | | [Access to Dependency List page](https://docs.gitlab.com/ee/user/application_security/dependency_list/) | No | Yes | ### Documentation Update documentation to make the distinction between product tiers clear and what is and is not included in each. ### Testing Perform end-to-end tests with both a Core and a ~"GitLab Ultimate" license to ensure that the correct functionality is exposed in each license tier. ### What does success look like, and how can we measure that? We are targeting a significant increase in usage as part of this feature. This can be measured by the monthly active users for container scanning. ### What is the type of buyer? <!-- Which leads to: in which enterprise tier should this feature go? See https://about.gitlab.com/handbook/product/pricing/#four-tiers --> ~"GitLab Free" ### Open Questions ### Links / references Engineering DRI - ~backend @sashi_kumar - ~frontend (if any) @aturinske <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION --> *This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.* <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->