►
Description
We are talking about the right approach moving Security scanning reports from the Frontend to the Backend. This is related to an epic [0] in order to resolve technical debt, furthermore this enables us to work on removing a docker-in-docker requirement for certain scanning types ([1]) and clears the path to deliver better UX for our features [2]
[0]: https://gitlab.com/groups/gitlab-org/-/epics/1425
[1]: https://gitlab.com/groups/gitlab-org/-/epics/971
[2]: https://gitlab.com/gitlab-org/gitlab-ee/issues/12896
B
You
Lucas
yeah
that
similarly
voice
is
interesting
one
anyway,
we
only
up
half
an
hour,
so
I'm
gonna
dive
right
into
this
I
will
also
share
my
screen
so
that
I
can
go
over
the
agenda
and
still
see
all
your
faces
right.
So
in
a
nutshell,
in
12.2
we
were
trying
to
make
an
effort
to
move
all
a
security
ports
logic
from
the
front
end
to
the
back
end
for
the
pipelines
and
the
merge
request
page
in
12.3.
We
have
an
issue
to
remove
them,
UPS
and
replace
them
with
more,
like
security,
dashboard
style
things.
B
So
my
plan
is
to
stop
refactoring
the
applications
that
we're
about
to
delete,
because
that
seems
like
a
bit
of
a
waste
of
time
and
we
can
still
sort
of
reuse
all
the
all
the
backend
work
in
creating
the
endpoints
that
we
were
going
to
use.
We
just
need
to
solve
change
them
slightly
and
it
gets
repositioned
that
the
different
end
effort
to
to
focus
more
on
replacing
these
apps
with
what
UX
is
suggestion,
then
refactoring
them
so
I
mean
I'm
gonna
fly
through
this.
B
But
if
you
read
through
the
doctors,
there's
a
lot
more
information
and
links
to
issues
and
things
like
that,
that
kind
of
explain
a
little
better
I
just
I
want
this
mean
to
be
more
about
questions
that
people
have
or
any
issues
that
people
see
with
with
the
approach
and
that
sort
of
thing,
so
a
first
step
would
be
for
solving
the
move.
The
reports
logic
for
all
the
reports
on
the
pipeline's
page
just
put
the
sort
of
wash
body
type
thing
inside
the
pipeline
Security
tab.
This
is
a
mock-up
I
have
done.
B
It
will
not
look
exactly
like
this.
This
took
me
about
three
minutes.
Apologies
and
oops,
so
yeah
I
mean
we
can
use
the
the
endpoint
that
Ross
created
to
allow
us
to
pass
in
the
pipeline
ID
and
just
render
essentially
the
the
similar
sort
of
view
of
the
dashboard,
but
in
the
security
tab
on
the
pipeline's
page,
and
that
gets
all
the
reports.
B
We
had
a
quick
looking
at
that
this
morning
and
the
way
we
handle
tabs
on
the
merge
request
page
is
very
weird.
So
this
is
a
pretty
beefy
step
in
itself.
That
should
be
kind
of
easier
with
the
announcement
that
we're
moving
very
quickly
towards
single
codebase
now,
but
it's
still
quite
a
big
step
and
then
once
that's
done,
move
the
existing
motor
quest
widget
with
the
four
separate
lists
into
that
new
tab,
so
that
when
we
click
on
the
expand
button
in
the
widget,
it
takes
us
to
that
tab.
B
Expand
might
be
the
wrong
word
here,
but
you
get
the
idea.
Instead
of
opening
up
the
report,
we
moved
to
that
new
tab
and
then
the
big
bit
of
work
needs
a
little
bit
of
tweaking
on
the
back
end
and
more
front
end
again,
and
that
is
to
replace
the
content
in
that
tab
with
again
like
a
more
more
body
type
thing
like
we've:
we've
got
in
the
actual
this
MVC.
If
you
hear
that
the
UX
have
brought
up
the
big
change,
we
need
to
the
API
endpoint.
B
Apologies
can't
is
that,
instead
of
having
three
arrays
of
added
fixed
and
existing
vulnerabilities,
it'll
probably
need
to
be
one
array
with
a
status
of
added
fixed
or
existing
on
each
of
the
vulnerabilities
I.
Don't
know
how
simple
or
hard
that'll
be
so
open
the
suggestions
on
that
one
I
guess,
but
it
will
need
to
be
something
like
this,
so
that
we
can
do
with
pagination
properly
and
then
ideally
mm
somewhere
filtering
by
stairs
as
well,
in
the
same
way
that
we
do
filtering
for
report
type
or
whatever
it
is
on
the
other
dashboards.
B
And
then
we
may
need
a
new
API
endpoint
for
the
report
summary,
because
the
merge
request
widget
will
be
something
like
this,
where
we've
got
15
new
security
findings,
one
fix
from
the
really
and
for
dismiss
phoner
abilities,
I,
don't
think
we
have
an
endpoint
that
would
give
us
these
numbers
at
the
moment.
If
we
do
great,
let
me
know
what
it
is.
If
we
don't
at
them,
probably
need
something:
yeah.
C
B
B
Yes,
I
mean
they're.
The
two
frontend
changes
are
obviously
to
to
use
that
end
point
to
work
their
BMR
widget
to
what
I've
just
showed
you
and
to
actually
migrate
that
dashboard
to
the
mr
page,
which
will
give
us
the
full
moving
reports,
logic
to
the
backend,
and
we
can
completely
delete
the
group
security
reports
up
and
the
split
security
reports
up,
which
is
the
two
front
end
apps
that
currently
do
all
the
handle
all
the
logic
so
I
have
sort
of
flowing
through
that.
B
D
B
Would
imagine
we
don't
need
to
because
the
the
current
proposal
this
one
here
that
only
got
added
about
two
days
ago,
so
we
should
be
okay
with
not
making
it
backwards
compatible
with
this
one
yeah
I'm
gonna
cancel
it.
Is
this
change
kind
of
ship
I?
Don't
know
that
was
going
to
be
my
question.
If
we
ship
it,
then
maybe
that
changes.
E
It's
it's
an
internal
response
or
it's
not
at
the
public
API,
because
we
have
two
kinds
of
api's:
we
have
the
public
API
that
can
be
leveraged
by
any
sort
party,
and
then
we
have
like
internal
race
controller,
providing
jisun
inputs,
but
it's
just
for
our
front-end
use.
Yes,
so
in
this
way
we
can
do
whatever
we
want
and
change
it
without
backward
compatibility.
E
F
E
Group
all
the
repo
types
in
a
single
code
instead
of
having
gradual
cold,
because
what
we
need
to
consider
is
at
a
like
D,
the
group
pod
code,
which
is
a
database
call
here.
We
will
be
fetching
multiple
artifacts
with
both
artifacts
and
passing
them
on
the
fly,
so
I
still
think
it's
fine
in
it,
because
we
are
now
waiting
the
end
of
the
pipeline
as
far
as
I
remember,
we
are
reaching
the
end
of
the
pipeline
before
passing
them
to
make
sure
all
the
jobs
are
finished.
E
E
B
Yeah
and
well,
that's
we
previously.
We
have
separate
lists
for
each
one
as
well,
but
the
the
new
proposal
is:
is
one
list
two
to
rule
them?
I,
don't
know
why
I'm
going
to
the
Lord
of
the
Rings
course
here,
but
you
get
a
point.
It's
it's
one
list
with
all
the
reports
in
rather
than
four
separate
lists,
which
is
why
that
kind
of
needs
to
change.
A
E
G
Okay,
you've
already
got
part
of
this
question.
My
question
is
more
targeted.
Removing
darker
and
darker
is
becoming
increasingly
a
priority.
How
can
we-
and
we
have
now
coupled
this
issue
with
removing
darker
and
darker
and
my
question-
is:
how
can
we
decouple
them?
How
can
we,
how
can
we
not
block
removing
darker
darker
from
SAS
in
other
areas
and
move
forward
all
this
at
the
same
time,
whereas
where
is
it?
B
Yeah
so
I
mean
the
the
reason
I
brought
up
was
because,
when
I
went
to
find
the
original
issue
for
my
great
in
the
sastra
ports,
I
noticed
it
had
moved
from
the
migration
epoch
to
the
docker
in
docker
epoch.
So
I
have
I'm
not
really
sure
what
what
it
is.
That's
that
makes
that
a
requirement
for
removing
docker
in
Dhaka.
E
This
requirement
only
apply
and
Sasson
dependency
scanning
because,
as
two
features
are
lying
on
separate
jobs,
the
fertilizers
to
do
the
Genesis,
so
the
the
feature
to
get
rid
of
the
conductor
require
that
we
split
that
into
separate
jobs,
which
means
we
will
have
separate
reports
produced
instead
of
just
one.
Gene
reports
and
currently
is
a
front.
End
is
parting
only
one
reports.
E
So
if
you
want
to
split
that
into
separate
job,
we
want
to,
we
need
to
add
the
logic
to
pass
the
road
with
also
several
several
reports
at
the
same
time
at
once,
which
is
something
that
has
just
been
made
on
the
back
inside
recently.
So
ever
we
are
doing
the
same
thing
with
Geron
front
end,
and
we
can
support
it
right
now,
but
it
mean
it
means
we
are
putting
a
photon
pretend
that
is
going
to
be
strolled
away.
E
Okay,
that
makes
sense
now.
That
being
said,
we
also
have
other
blockers.
Let
workers
or
questions
on
the
way
want
to
split
into
multiple
jobs,
for
certain
appearances
can
install
this
might
be
left
us
an
issue.
I
mean
if
we
are
not
able
to
complete
the
other
test.
Anyway,
you
can
see
that
some
time
to
progress
of
this
but
I
would
definitely
advocate
to
keep
moving
on
moving
the
logic
on
the
backhand
side.
Instead
of
putting
efforts
on
the
front
end
to
support
multiple
reports.
B
What
we're
trying
to
say
moving
these
reports,
we
move
them
all
at
once,
whereas
previously
we
were
going
to
move
them
a
report
at
a
time
and
if
we
we
do
it
this
way,
we
might
potentially
push
the
actual
moving
of
reports
to
the
back
end
into
12.4
like
if
which
we
then
block
there,
the
docker
andhaka
thing
and
push
that
back
to
12.4
as
well.
So
I
guess
it's
it's.
How
much
of
an
issue
would
that
actually
be.
B
A
We
also
have
the
possibility
and
I
mean
it-
would
be
busy
work
and
duplicated
work
right
if
we
know
that
darker
and
darker
sauce
requirement
is
like
game.
We
need
to
do
this
to
come
over
the
90
outline
or
whatever
football
reference
or
I
don't
know,
and
we
can
also
because
SEM
has
done
the
work
right.
We
we
can
also
look
into
moving
sauce
and
the
dependency
scanning
in
the
the
old
widget
to
the
new
API.
A
Don't
bother
about
the
other
two
scanning
types
and
to
the
other
thing
in
parallel
right,
we
could
consume
just
sassed
and
dependency
scanning
in
the
new
format,
which
would
then
support
the
multi
report
thing
and
help
us
with
getting
rid
of
token
daca,
because,
as
Sam
said,
we
have
two
12.4
question
mark.
We
don't
know
how
big
this
implementation
is
going
to
be.
A
A
The
big
problem-
probably
that's
a
good
question-
I
I-
would
assume
that
we,
because
at
the
moment
we
do
the
comparison
on
the
front
end
right.
We
need
to
basically
go
with
those
two
issues
and
don't
change
the
UI
because
they
have
to.
Can
you
scroll
up
a
bit
Sam?
Please,
because
essentially
we
have
the
Edit
fixed
and
existing
right.
So
do
you
I
currently
wouldn't
change
for
those
three
reports.
B
E
Was
expecting
the
work
to
be
more
straightforward
once
you
have
done
with
one
reports,
because
we
have
a
very
consistent
API,
the
only
very
different
between
repo
type
is
under
visualization.
If
there
are
specific
fields
that
you
and
that
I
think
we've
done
a
lot
of
work
to
miss
its
dynamic.
So
I
don't
see
the
point
of
cleaning
that
between
repo
types
at
PacSun.
E
A
So
we
can
move
on
with
the
lift
lift.
We
can
move
on
with
the
plan,
as
we
currently
have,
which
would
mean
moving
moving
the
the
dashboard,
as
is
Trudy
to
the
new
back-end.
Maybe
we
even
move
it
down
to
the
new
top
so
that
you
have
it
in
you
to
stop
and
to
reach
design
can
be
in
a
later
stage
and
it
may
involve
a
new
API
endpoint
that
might
reuse
logic
on
the
backend
right.
A
B
A
Sometimes
the
cost
of
iterating
right
because
I
mean
speaking
about
the
UX
design
honey
you
reached
out
to
me
right
about
the
new
MVC
and
asked
about
doing
engineering
discovery
now
and
then
heading
into
X
design
in
12
to
4,
so
it
might
even
be
that
we
missed
some
requirements,
I
mean
even
if
the
news
is
design
at
the
moment
we
still
miss.
Probably
some
requirements
like,
for
example,
heading
that
summary
API
or
those
kind
of
things
right
once
we
dive
into
UX
discovery
of
having
a
more
dashboard
like
more
more
like
approach
for
TMR.
A
It
could
be
that
we
even
discover
that
we
might
need
more
things
like
that.
We
don't
even
know
yet
about
you
right,
so,
basically,
the
unknown
unknowns.
Basically
right
at
the
moment,
we've
listed
some
known
unknowns
like
that.
You
probably
need
to
that.
We
probably
need
to
switch
the
API
bit
to
support
a
new
to
support
a
new
test,
what
kind
of
thing,
but
there
might
even
be
unknown,
knowns
and
I
know
that
at
the
moment
the
whole
load
of
moving
into
the
back
end
is
on
your
back,
but
I.
A
Think
all
of
you
is
also
right.
Once
we
have
moved
one
report
to
the
back
end,
we
are
able
to
reuse
the
are
able
we
should
be
able
to
also
distribute
the
load
and
each
from
an
engineer,
take
different
phone
engineers,
taking
like
one
report
right
and
additionally
before
we
had
also
the
concern
about
moving
the
pipeline's
view.
But
if
we
go
and
move
the
pipeline's
people
to
for
group
view,
we
can
remove
the
whole
back-end
logic.
That's
regarding
with
the
with.
A
E
Agree
that
the
security
report
MVC
is
risky
for
me
from
the
UX
and
the
unknowns
I
just
said
that
can
happen
and
it
didn't
create
the
bulk
of
changes
to
ship
at
once,
so
either.
I
would
argue
that,
even
if
it's
some
work
to
put
on
your
side
Sam,
if
you
can
do
that
in
a
crappy
way
like
allow
you
to
save
some
time,
I
mean
it's
fine
to
it.
To
have
some
depth
on
that
throwable
code,
but
from
the
UX
and
from
the
feature
aspect.
B
B
E
B
B
C
C
B
Okay,
as
you
said,
yeah,
the
only
issue
I
can
see
with
that
is.
We
won't
know
how
many
were
added
and
fixed
right
off
the
bat.
It's
it's
fine
with
the
other
one,
because
I
can
get
the
toll
from
the
the
pagination
headers,
but
I'd
only
get
a
total
number
of
all.
The
added
and
fixed
together
and
I'll
have
no
idea
how
many
of
them
were
added
and
how
many
of
them
were
fixed.
A
B
Yeah,
that's
cool,
let's
go
well!
If
the
endpoints
in
there
have
a
play
about
with
it
and
see
what
the
issues
are.
So
the
issue
we
had
with
the
pagination
when
I
was
doing.
The
pipeline
report
was
that
it
would
say
you
have
added,
there's
20
vulnerabilities,
but
in
reality
there
was
300,
but
we
were
only
returning.
The
first
20
like.
B
G
B
G
B
C
A
A
A
A
We
just
have
you
start
with
container
scanning
in
order
to
be
not
blocked
on
the
front
end,
and
then
we
can
follow
with
the
other
two
examples,
because
we
have
done
it
on
the
front
end.
It
should
be
rather
easy
to
follow.
The
lead
of
the
example
and
I
mean
on
still
moving
to
the
back
end
should
remove
like
a
bunch
of
tests
and
everything
from
the
front
end,
because
the
whole
comparison
logic
tests
and
what
we
had
there
can
be
removed.
So
it
will
be
nicer,
master
actually
delete
one
stuff
than
they
had.
A
B
Will
do
I'll
recover
in
epic
and
I'll
update
all
the
individual
issues
as
well
and
go
from
there.
I
just
wanted
to
know
what
direction
I
was
going
in
before
I
start
changing
everything
and
then
after
change,
you
back,
which
would
have
totally
happened
if
I
had
done
it
that
way
around.
Given
this
discussion
so
I'm
I'm
glad
we
did
that.
Okay.
A
E
Not
directly
to
that
topic,
but
as
I
was
doing
status
update
we've
can
this
morning
on
these
issues.
It
might
be
great
if
you
can
leverage
establishes
pattern
because
how
to
follow
the
status
between
front-end
in
the
backend
side
as
we're
making
progress
on
different
timelines,
so
it'd
be
great
to
to
do
that.
Maybe.