Allow user to customize vulnerability-check severity criteria

Effort has been moved to Epic: &6237 (closed)

Problem to solve

Context: we currently have the Vulnerability-Check at the project level. This will disallow a merge request if a Critical, high, or unknown severity vulnerability is detected (regardless of dismissal). Issue part of: &3202 (closed), and follow up to #216588 (closed), which displays whether or not a check is set across projects AND #216590 (closed) which allows user to apply vulnerability-check to multiple projects.

Problem: the vulnerability-check rule has fixed criteria to disallow the merge request: Critical, high, or unknown severity vulnerability is detected (regardless of dismissal). Use case: may only want to disallow with critical vulnerability detected.

Intended users

User experience goal

Allow users to customize the rule criteria.

Proposal

Allow users to customize the rule severity. Example ability to only disallow merge request if Critical vulnerabilities are detected.

Further details

Issue part of introducing group-level security check: &3202 (closed)

Question and consideration: what are other custom criteria that may be helpful? Such as dismissals of vulns (removing the required approval) or by scanner type? 🤔

Permissions and Security

...

Documentation

Availability & Testing

...

What does success look like, and how can we measure that?

Can the user select their preferred criteria for the rule?
Do users adopt the feature across multiple projects, with custom rules?

What is the type of buyer?

GitLab Ultimate

Is this a cross-stage feature?

This a cross-stage feature for devopssecure as it is related to the scanning results of all but license scan. Additionally, it will affect the merge request experience, configuration page, and vulnerability management ~"devops::defend"

Links / references

Edited Jun 23, 2021 by Tim Poffenbarger