## Executive Summary The MR widget is not delightful to developers because the complete set of scan data is dumped on them. Results need to be carefully curated for developers in the appropriate place, the appropriate results with the appropriate context should be presented, and the appropriate workflows should be supported. This epic improves the place (a new tab), and the type of results (blockers). ## Business Case This is related to the improvement of our North Star Metric -- increasing the counts of vulnerabilities managed in GitLab. 1. Original UX Research: https://gitlab.com/groups/gitlab-org/-/epics/11194#consolidated-research 2. The most recent data indicates that 128K users view the security widget, 8.5K expand the widget, and 5.4K click into the full report. Since only 4% of users viewing the widget end up actioning the vulnerabilities, we have a significant opportunity to improve our North Star Metric by improving actioning vulnerabilities in the MR. 3. The NSM is assumed to be related to reducing churn and improving expansion opportunities. 4. Target metric: Increase the Security Insights NSM 1. Secondary Metric: Improve the funnel from 4% conversion 1. View: redis_hll_counters.code_review.i_code_review_merge_request_widget_security_reports_view_monthly 2. Expand: redis_hll_counters.code_review.i_code_review_merge_request_widget_security_reports_expand_monthly 3. Click: redis_hll_counters.code_review.i_code_review_merge_request_widget_security_reports_full_report_clicked_monthly #### Engineering Assessment tbd ### DRIs * PM: @mclausen35 * Engineer: tbd * EM: tbd * ~"group::security insights" * Engineering Owner: @nmccorrison ## Scope ### In scope 1. On the reports page, a ['blockers view'](https://gitlab.com/gitlab-org/gitlab/-/issues/462123/designs/MR_-_Reports_tab_-_Violations_-_Default.png) that shows all Code Quality, Security, and License Compliance records which caused the MR to be blocked 1. The indicators that the pipeline must be complete and the security policies must be evaluated is not required to be built by sec insights. 2. Security 'blockers' are represented by vulnerability records that are caught by an MR Block policy. 3. Code Quality and License 'blockers' may require additional work to wire up a connection of 'blockers' based on policy. 4. Show the policy violation count, the criticals, and the highs. 2. On the reports page, a '[warnings view](https://gitlab.com/gitlab-org/gitlab/-/issues/469605/designs/MR_-_Reports_tab_-_Violations_-_Request_review_-_select_reviewer.png)' that shows all security policy records and corresponding vulnerabilities that cause the MR to trigger warnings. These are defined by policy. 3. On the blockers tab, a[ clickable right pane for policy details](https://gitlab.com/gitlab-org/gitlab/-/issues/462123/designs/MR_-_Reports_tab_-_Violations_-_Policy_details.png), including Summary, Policy Type, Description, Source, and target/source branch. 4. On the blockers tab, [the ability to show configuration errors](https://gitlab.com/gitlab-org/gitlab/-/issues/462123/designs/MR_-_Reports_tab_-_Violations_-_Policy_details_w__error.png) for policy configurations in cases where the policy is not configured correctly in the same right pane as above. 1. For example, if a policy requires multiple approvers but only one is available in the system, a configuration error will be demonstrated 2. There are other errors that Security Policies can enumerate, they are surfaced as policy-bot error comments. 5. On the blockers tab, a [clickable right pane for vulnerability details](https://gitlab.com/gitlab-org/gitlab/-/issues/462123/designs/MR_-_Reports_tab_-_Violations_-_Finding_details.png) 6. Support [workflows in the vulnerability details ](https://gitlab.com/gitlab-org/gitlab/-/issues/462123/designs/MR_-_Reports_tab_-_Violations_-_Finding_details_-_Overflow_menu.png)right pane 1. Resolve with AI 2. Create an issue 3. Dismiss vulnerability 4. Confirm vulnerability 7. A security report that shows the complete list of findings. 1. The security report should theoretically support the same vulnerability details (#5) and workflows (#6) 8. A list of issues related to license compliance in the license compliance tab on the left hand side 9. A list of issues related to code quality findings in the code quality tab on the left hand side 10. If no scanners ran related to those findings, hide them. 11. Ensure the potential FP icons and metadata and flows documented in this epic are available in the tab as well: https://gitlab.com/groups/gitlab-org/-/epics/18977 ### Out of scope * In the right pane for vulnerability details, [the ability to hover over the policy in the vuln details page to see the 'policy summary'](https://gitlab.com/gitlab-org/gitlab/-/issues/462123/designs/MR_-_Reports_tab_-_Violations_-_Finding_details_-_Policy_popover.png) * The indicators that the pipeline must be complete and the security policies must be evaluated is not required to be built by sec insights. * Code quality results do not support the concept of 'blockers' today ## Outstanding Questions | Question | Answer | Assignee | Priority | Blocking? | |----------|--------|----------|----------|-----------| | | | | | | | | | | | | ## Designs https://gitlab.com/gitlab-org/gitlab/-/work_items/462123+ ## Dependencies * None known ## Functional Requirements ### Page Level Support * [ ] Project * [ ] Group * [x] Pipeline \> Security (findings) * [x] MR Security Widget (findings) * [ ] Security Center * [ ] Security Dashboard ### Workflow * [ ] Requires an additional filter on the Vulnerability Report ([docs](https://docs.gitlab.com/development/internal_analytics/internal_event_instrumentation/quick_start/)) * [ ] Requires an addition to the Vulnerability Report export ([docs](https://docs.gitlab.com/user/application_security/vulnerability_report/#exporting)) * [ ] Requires an additional filter on the Dependency List ([docs](https://docs.gitlab.com/user/application_security/dependency_list/)) * [ ] Requires an addition to the Dependency List export ([docs](https://docs.gitlab.com/user/application_security/dependency_list/#export)) * [x] Requires ~documentation ## Non-Functional Requirements ### Product Usage * [x] Requires new instrumentation ([docs](https://docs.gitlab.com/development/internal_analytics/internal_event_instrumentation/quick_start/)) ### Feature Flag Usage * [x] This feature should be released behind a feature flag? ([docs](https://handbook.gitlab.com/handbook/product-development/product-development-flow/feature-flag-lifecycle/#when-to-use-feature-flags)) ### Testing * [x] Requires new E2E test coverage ([docs](https://docs.gitlab.com/development/testing_guide/end_to_end/)) * [ ] Requires extended manual / UAT phase * [ ] Performance testing needed ([testing](https://docs.gitlab.com/ci/testing/load_performance_testing/)) ## Outstanding Questions | Question | Answer | Assignee | Priority | Blocking? | |----------|--------|----------|----------|-----------| | | | | | | ## Resources 1. [Epic Board](Milestone) showing issues across workflow stages. 2. Documentation links 3. Prior work/projects