## Overview Release 0 is the MVC for Centralized Security Scanner Enablement. Ship what's mostly built. Low gap, low complexity. Deliver an immediately useful surface using existing data and infrastructure. **Parent epic:** https://gitlab.com/groups/gitlab-org/-/work_items/21299 **Full release breakdown (R0/R1/R2):** https://gitlab.com/gitlab-org/gitlab/-/work_items/595185 **Interlock issue:** https://gitlab.com/gitlab-org/gitlab/-/work_items/595472 **Design issue:** https://gitlab.com/gitlab-org/gitlab/-/work_items/593900 **Target:** Q2 ## Target Metrics **North Star:** ≥66% of active Ultimate accounts with ≥25% of push projects running 2+ scanners enabled via SPM enablement ([Tableau](https://10az.online.tableau.com/#/site/gitlab/views/ofAccountswith25ofPushProjectsusing3scanner/ofAccountswith25ofPushProjectsusingNScanners?:iid=1)) **End of Q2:** 1. ≥62% of active Ultimate accounts with ≥25% of push projects running 2+ scanners 2. ≥4% of active Ultimate accounts with scanners enabled via SPM flows ## Key Engineering Decisions (confirmed Apr 2026) * **Stat cards use Security Inventory as the data source.** Not profile-specific statistics. Building profile-only counters would duplicate all the work done for Security Inventory (new tables, aggregation, performance tuning) for a model we would eventually replace. Using Security Inventory avoids that and ensures the stat cards match what users see elsewhere. * **Scanner detail view shows all projects, not just profile-managed ones.** The "Profile" column is replaced with a "Source" column. Source values: Scan Profile, Security Execution Policy (SEP), Pipeline Execution Policy (PEP), Pipeline source (catch-all for CI YAML), No profile applied. * **"No profile applied" is the key nudge.** For unconfigured projects, Source shows "No profile applied" to drive users toward the wizard. This is the primary job to be done from this page. * **Scanner health definitions match Security Inventory.** Same Active / Needs Attention / Stale definitions across both surfaces to avoid trust-breaking mismatches. Profile-managed projects get richer color (e.g. "last 5 scans failed") via Nico's source attribution work. * **No cross-team dependencies** except Nico's profile source attribution work, which is already in flight. ## Scope ### Security Configuration Dashboard | Feature | Scope | |---------|-------| | Stat cards | Projects without coverage, Scanners enabled, Needs attention, Stale scans — sourced from Security Inventory | | Stat card 4 | Stale scans projects not scanned in 90+ days. Replaces "Scanner problems" which duplicated "Needs Attention" | | Scanner row overflow menu | Removed for MVC. No clear actions identified | | Confirmed scanners | Dependency Scanning, SAST, Secret Detection. Container Scanning not included in this release | | Scanner detail view | Per-scanner drill-down showing all projects with Source column, scanner health, last scan time, and Security Attributes column | | Default sort order | Failed \> Warning \> Stale \> Unconfigured \> Active (worst to best). Stat cards act as quick filters | | Security Attributes column | Included so users can visually confirm attribute-based filters are matching the expected projects | ### Enable Scanner Wizard | Feature | Scope | |---------|-------| | Setup goal | Quick Setup (recommended defaults, \~3 min) and Advanced Setup (\~9 min) entry point | | Project scope selection | Manual project / subgroup selection; max \~100 object IDs per mutation. Filters align with Security Inventory filters. All projects shown including fully-covered (wizard may be used to change a profile or add a scanner, not just initial enablement) | | Scanner + profile selection | Select scanners; Standard profile auto-assigned per scanner type; one profile per scanner per mutation call | | Apply progress | Email notification only — same rollup email mechanism as Security Attributes (summarizing project-level failures). No in-UI monitoring for Release 0. Revisit for Release 1 | | Wizard abandonment | Unsaved-changes modal when user navigates away mid-wizard. No saved/draft state — communicate that progress will be lost. @mfangman to design modal | | Object ID cap | No special treatment for MVC. Users can apply filters (e.g. "no scanner coverage") to find and select unconfigured projects on subsequent runs. Document in release notes | | Scale | Up to \~100 object IDs per apply operation | | Scan triggers (Review step) | Keep in profile preview only. Not surfaced inline | | Estimated CI impact | Removed for Release 0 and Release 1. Revisit in Release 2 | | Rollout plan display | Walk phase (stretch goal for crawl). Drop rollout time for initial release | | Post-confirmation destination | Page is good as is for Release 0. Future iterations: progress tracking (in progress vs. complete), real-time per-project monitoring | ### Scanner Details Page — "Apply" CTA | Decision | Detail | |----------|--------| | Destination | Send users directly to the Review Configuration step, pre-populated with unconfigured projects and the current scanner already selected. Skip project scope and scanner selection steps | | Button copy | "Apply for projects" is unclear. Placeholder for now. Candidates: "Enable for more projects," "Expand coverage." Finalize once design is in the issue | ### Pipeline Triggers | Feature | Scope | |---------|-------| | Trigger types | Push / MR events (existing pipeline-based scan injection) | ### Disablement Workflow Defer full disablement workflow. Design a disable affordance on the scanner details page as a stretch goal. Existing Security Inventory "disable scan profiles" action serves as interim workaround. Design principle: enablement should be prominent and easy; disablement should require deliberate action. Copy on any disable action should say "disable profile-based configuration" (not "disable scanner") to make clear it only affects profile-managed projects. ## Out of Scope for Release 0 * Release 1 (walk) * Release 2 (run) * Leveraging DAP --- ## Open Items * https://docs.google.com/document/d/12-UHjhTz8Gl5LZuQ9E3rFvIIKIBP9SbfhTQRFXkONS8/edit?tab=t.0