Goal Summary:

Imagine I've been looking at a policy violation and gather some information, for example that the CVE triggering the violation comes from some base image which must be used due to compliance. This is valuable information and I'd love to persist it so the next person won't duplicate this work. However, I can't.

Apparently there was a similar ability (behind a feature flag?) in the past: https://issues.redhat.com/browse/ROX-3715?jql=text%20~%20%22violation%20comments%22%20and%20project%20%3D%20ROX

Goals and expected user outcomes:

The goal is to persist relevant information after investigating a violation with the goal to show it to the next person who will be looking at it. Such information might be image or deployment specific. It is probably better to decouple the information from the violation at hand because violations can be recreated.

Acceptance Criteria:

• Be able to persist notes for a given image or deployment
• Be able to do it from the violation screen
• Render image and deployment notes for every violation affecting this deployment and or image(s)
• Notes must be shareable across users modulo access control
• Consider introducing a separate permission for notes to avoid requiring `WRITE` on image and deployments

• As a next step, we can re-use the same information in other views, like vulnerability management, reports, etc.

Success Criteria or KPIs measured:

• Number of notes left, it should be non-zero

Use Cases (Optional):

• From the dogfooding instance, often ACSCS folks would be blocked w.r.t. updating addon images due to compliance, which is domain specific knowledge not available for others looking at violations.
• asegundo+sd-mt-sre had a similar request based on the experience managing AppSRE instance.

Out of Scope (Optional):

TBD