In the spirit of establishing a DRI for each set of functionality where this may not be obvious, the purpose of this page is to explicitly define which engineering group has reponsibility for which portions of the product and for specific decisions.
Displays and allows management of a list of vulnerabilities.
Allows user to view detail of vulnerability and manage it.
Displays statistics and other related information on container security enabled features such as web application firewall (WAF) and container network security (CNS).
Secure: Composition Analysis, Displays vulnerability findings for a specific pipeline.
Allows users to see their dependencies detected.
Allows users to see their licenses detected and policies set
View and configure scanners for a project.
Note: The main configuration screen falls under Vulnerability Management but the detailed configuration screen for any given scanner is owned by that scanner's PM and Secure team.
Display comparison of source branch results with target branch results. Also includes Security approvals in merge requests.
Secure: Composition Analysis, Technical details about how to build a scanner that is compatible with GitLab.
Overview of how to partner with GitLab to build a scanner
View, Dismiss, or Confirm (and create related Issue) vulnerability findings the configured scanners detect. This applies to all locations where we display a finding (dashboards, pipeline view, MR view. Also includes the generic auto-remediation flow (though the remediation data itself is provided by the analyzers so fall under the corresponding group for implementation)
Ownership of the end-to-end technical solution spans multiple groups. This section clarifies cross-group maintainership of code artifacts between Threat Insights and the remaining groups in the Secure Stage.
The diagram below is an over-simplified representation of the architecture but helps understand the delineation.
Issues are used to make the DRI and their backup aware of the change. In case a DRI is unavailable, their line manager is the backup.
The reports JSON schemas are maintained by the relevant Secure groups (Backend team) matching the corresponding categories.
For instance, the Static Analysis group is responsible for the SAST category, so its backend team is responsible for the
sast report JSON schema.
Additionally, any modification of the shared definitions and structure must be approved by each group's backend team.