Design: Secret Detection Validity Checks - Vision

Background

This issue tracks work to create a designs for secret detection validity checks (name TBD). Must-have features are outlined in the parent epic in the MVC section. We've also completed competitive research in https://gitlab.com/gitlab-org/gitlab/-/issues/479342+.

Problem to solve

Please reference the problem to solve in the epic.

Proposal

On the vulnerability report:

• Users can quickly identify what secret detection vulnerabilities are valid
• Users can quickly dismiss or resolve secret vulnerabilities that a not valid

In the vulnerability record:

• Users understand if their secret is still valid

💡 Additional ideas

• Should a validity status be handled similarly to how EPSS and KEV are handled?
• Could validity status be incorporated into a risk score for secret detection vulnerabilities?
• What does the workflow look like for revoking a secret if it is active?