Split Dependency Scanning report from SAST report in CI View
Description
In https://gitlab.com/gitlab-org/gitlab-ee/issues/4967 we decided to split our current SAST checks in two:
- "Real" SAST tools doing code analysis
- Dependency scanning tools, like Gemnasium
We want to differentiate these two items in our security reports. This requires to have separated reports for SAST and Dependency Scanning, so they can be easily managed in the same way they are managed now.
This issue is only about CI Views (see https://gitlab.com/gitlab-org/gitlab-ee/issues/3776 for more details), while MR widget is addressed in https://gitlab.com/gitlab-org/gitlab-ee/issues/4310.
Proposal
In order to achieve this result, we need to:
- split the actual SAST report in two different artifacts, one for SAST and one for Dependency Scanning
- add a new section in the existing CI View (just below the SAST report), exactly the same we already have for SAST, but with a different copy (Dependency Scanning instead of SAST), that will load the Dependency Scanning report
- no changes should be needed for the SAST panel
Note: we'll keep a single job => a new sast for the first iteration, since it is simpler to achieve. It will create two different reports as separate artifacts, each of them will feed the specific MR widget.dependency_scanning job has been introduced.
This is just to give an idea of the final result, it should be replaced by a proper design when ready:
Design
Pipeline widget reference
Security tab
Note:
- DAST will be the last element in the "list"
- SAST
- Dependency Scanning
- Container Scanning
- DAST
- DAST will not report "by analyzing the review app" text
- In CI View we will limit the height of each report to a scrollable 500px
- Complete vulnerabilities report anchor will have existing functionality similar to SAST and expand report inline, changes to this functionality are deferred to https://gitlab.com/gitlab-org/gitlab-ee/issues/5322