Experience Recommendation – Secure FY22-Q3 – Identifying vulnerabilities in new code (Static analysis)
- UX Scorecard Part 1: #1682 (closed)
# | Insight / finding | Recommendation | Comments |
---|---|---|---|
1 | The security configuration button on the project (repo) homepage doesn't reflect the current configuration status and directs users away from their project | Revise behavior of "Add Security Testing" button on repo homepage | The button currently links users to the SAST documentation, even after SAST is enabled. Linking to the security configuration page is a more appropriate destination for several reasons. |
2 | Libor was successful at setting up multiple scanners but wasn't confident that they were configured properly. There is no direct feedback given to users after a scanner had been enabled. | Allow users to preview a repo's security configuration at a glance | System status for security features is hidden under Security & Compliance > Configuration |
3 | The empty states for the security dashboard and vulnerability management pages are the same. This makes it difficult for users to infer how these features might differ | Better empty states for the security dashboard and vulnerability report | Providing more relevant empty states might help users understand the features that are available to them |
4 | Libor rated 2/3 of the "onboarding" heuristics as a D , and the other as a C . He also rated "Minimal setup required" as a D . These below-average ratings may have an impact on feature adoption. Furthermore, the emotional grading for learning about and setting up a security scanner was generally negative |
Explore how we might include educational/supplemental docs throughout the scanner config process | Supplemental research may be required to pinpoint and validate specific problem areas |
5 | The security banner does a great job promoting SAST, but doesn't give users an entry point into the easiest way to configure SAST – the configuration UI | Add "Configure SAST" link as primary action for the SAST promo banner | First, verify if this banner is displayed to GitLab core users as well as ultimate and adjust recommendations accordingly |
6 | The vulnerability management survey banner on the security dashboard and vuln report page is displayed on projects that have no vulnerabilities and no security measures set up. It doesn't seem relevant to users at that point in their journey. | Add logic to vulnerability management survey banner so it's not displayed until there are vulns available in a project | |
7 | The SAST configuration page is using an old button component and should be updated | Update SAST config button "Create merge request" to use new style | minor change to maintain consistency across the experience |
Experience Recommendations Checklist
Learn more about UX Scorecards
-
Add this issue to the stage group epic for the corresponding quarter's UX scorecards. -
Brainstorm opportunities to fix or improve areas of the experience. - Use the findings from the Emotional Grading scale to determine areas of immediate focus. For example, if parts of the experience received a “Negative” Emotional Grade, consider addressing those first.
-
Create an issue for each recommendation. Alternatively, you can create a separate epic to hold all your recommendations. Add a UX scorecard-rec
label to every issue or epic for traceability. Link to the epic or issues here. -
Think iteratively, and create dependencies where appropriate, remembering that sometimes the order of what we release is just as important as what we release. - If you need to break recommendations into phases or over multiple milestones, create multiple epics and use the Category Maturity Definitions in the title of each epic: Minimal, Viable, Complete, or Lovable.
Edited by Michael Fangman