Create confidential issues from vulnerabilities
Problem to solve
The vulnerability management flow consists in security flaws spotted during the pipeline execution using SAST, DAST, etc.
Those tools create reports that are consumed in many different places: the security dashboard (both at group and project level), the merge request view, the pipeline view.
All those places allow users to create an issue from the vulnerability, so the remediation process can start.
Issues have all the relevant details about them, and so they could be leveraged to easily discover unmanaged flaws in the codebase. Since issues may be public, anyone could access this specific information before a fix is released.
Target audience
Further details
This is the first step to ensure more privacy for vulnerability management. It is something that we also do when dealing with security at GitLab, the vulnerability information is confidential until we have a patch released, so customers' data is more protected against unauthorized access.
Proposal
When creating a new issue from a vulnerability, the issue should be created as confidential.
This should be applied to the following flows:
- Group Security Dashboard
- Project Security Dashboard
- Merge Request Security Reports
- Pipeline Security Reports