Design: Vulnerability Resolution in the Merge Request

User problem

What user problem will this solve?

GitLab surfaces vulnerabilities that contain relevant information, however, more often users aren't sure where to start with triage and remediation. It takes time to research and synthesize information that is surfaced within the vulnerability record. Moreover it can be difficult to figure out how to fix a given vulnerability.

Solution hypothesis

Why do you believe this AI solution is a good way to solve this problem?

Users are looking to quickly understand a vulnerability so that they know what next steps to take, i.e. what code change do I need to make. AI can search for solutions for them, avoiding manual steps. From the vulnerability detail page (Vulnerability Report > click on a vulnerability), users can click on a button which creates an MR with the AI's proposed fix.

For this issue, however, we're looking at bringing this feature into the MR, and need to figure out how we would add this as a follow-up commit.

Questions:

• Would users want to batch the proposals/ click on Start a review and queue up all of the vulnerability solutions, and possibly other MR changes, into one commit, or separate ones?

Assumption

What assumptions are you making about this problem and the solution?

• The amount of information for a vulnerability can be under/overwhelming.
• It is difficult to know where to start.
• Not all fixes are straightforward.
• It's time consuming to have to search for potential solutions for a vulnerability.
• AI will help the user understand why and how the vuln provides risk to their application, thereby incentivizing them to follow through with remediation.

Personas

What personas have this problem, who is the intended user?

• Sasha (Software Developer) can use this feature to better understand and potentially fix vulnerability findings before she tries to merge to the default branch.
• Sam (Security Analyst) uses this feature to quickly triage vulnerabilities and learn about specific vulnerabilities quickly.

Proposal

See design section below.

Note: All members of the team, myself included, are actively monitoring and aligning with the ongoing overlapping efforts in other stages that are using similar components related to AI functionality. The designs posted here are subject to change as these UX/ UI conversations evolve.

_Important resource for feature maturation: _Support for experiment, beta, and generally available features

MVC Requirements

• Info alert in SAST vulnerability pages with button to open drawer and fetch result
• Drawer opens with findings
• Give input if the suggestion was helpful or not with a 👍🏻 or 👎🏻 or "Wrong", see [AI Common] Measuring Users' Satisfaction with ... (&10233 - closed).
• Text input to allow further feedback as to how the answers could have been better and/or what followup questions the user may have.
• Copy code snippet

Beta Requirements (Design: [Beta] Explain this Vuln)

• Feature is available on ANY type of vulnerability, not just SAST.
• View prompt
• Can remove code from prompt before sending to UI
• Pre-flight check warning

GA Requirements

• Incorporate with GitLab Duo chat
• Requirements met in Design: Explain vuln to GA (#464636 - closed)) (formerly Design: [GA] Explain this Vuln)

Note: We were going to create an issue for "Announce AI feature on Vuln Report for those that DON'T have it enabled" but in light of the discussion in this CVS thread, we're going to move this into report notifications.

Post-GA Requirements (this issue)

• Sync with Code Review team
• Create designs for:
  • Vulnerability Resolution (RV) (& Vulnerability Explanation) into the MR
  • Add'l designs needed for security tab on Pipeline page
  • Add activity item into the security finding showing any actions taken