Add awareness of whether scanners have been enabled on Security Dashboard
Problem to solve
Currently there's no way to see which scanners have been enabled from the Security Dashboard. For example, if only Container Scanning and DAST are enabled, and these scanners are reporting vulnerabilities to the list, there's no way to tell that Dependency Scanning and SAST are available but not enabled.
Solution
1st alert: For pipeline has not been run yet:
| Step 1 (view alert) | Step 2 (where the link takes the user) |
|---|---|
 |
 |
2nd alert: For scanners have not been enabled:
| Step 1 (view alert) | Step 2 (where the link takes the user) |
|---|---|
 |
 |
3rd alert: For some combination of the two:
* (updated copy per #221156 (comment 371836715): SAST results are not available because a pipeline has not been run or the most recent pipeline did not succeed.)
More info
| Scenario | Result |
|---|---|
| 1+ scanner(s) types filtered, all enabled, vulns found | Shown vulnerability list |
| 1+ scanner(s) types filtered, all enabled, NO vulns found | Show empty state in #200003 (comment 332428400) |
| 1+ scanner(s) types filtered, NONE enabled | Show empty state in #200003 (comment 332428400) |
|
|
|
|
|
|
|
|
|
| 1+ scanner(s) types filtered, all scanner type(s) enabled, some scanners found vulns but others didn't | Only show found vulnerabilities in list |
The alerts should be stored on a user's machine locally and should not reappear again after it's been dismissed, so that we don't have to worry about them having to dismiss it every time they come to the page.
Context
Discussion and feedback here from Explore improving banners and other awareness communication on dashboards
Implementation
GraphQL
Query
{
project(fullPath: "ssarka/demo-historic-secrets") {
securityScanners {
enabled
available
pipelineRun
}
}
}Result
{
"data": {
"project": {
"securityScanners": {
"enabled": ["SAST","DAST"],
"available": ["SAST", "DAST", "CONTAINER_SCANNING","SECRET_DETECTION", "DEPENDENCY_SCANNING"],
"pipelineRun": ["DAST"]
}
}
}
}