Discovery: allow user to configure Secure features in UI
Problem
User is unable to activate Secure features directly in the UI and currently has to manually configure the project files. Additional context:
- It is not explicit in the UI where/how to configure security scan features. Our UI does not give status or steps to set up the features (this is being worked on in https://gitlab.com/gitlab-org/gitlab-ee/issues/13638.
- We've seen users struggling to find where to set up SAST and user expect an on/off switch https://gitlab.com/gitlab-org/ux-research/issues/277.
- Secure does not have a centralized space for settings that are specific to Secure. examples: i) setting up scans are manually added to
.gitlab-ci.yml, ii) license compliance is located in settings > CI/CD > License Management, iii)Vulnerability-CheckandLicense-Checkare in general > Merge Request Approvals.
Solution ideation
MVC iterating on the configuration section in a newly created Security screen https://gitlab.com/gitlab-org/gitlab-ee/issues/13638: allow the admin user to activate Secure features. Do this by including a security scan template to the gitlab-ci.yml (default branch only).
The configuration UI would be visible to maintainers/owners; developers would see the status screen https://gitlab.com/gitlab-org/gitlab-ee/issues/13638
Iteration 3:
| User flow: configuring a scan | Different UI states |
|---|---|
 |
 |
This flow shows UX for adding a security scan. In this case, a gitlab-ci.yml file has already been created and some scans already added. User is adding 'License-Compliance' template |
Different states of the UI configuration screen: i. no features have been configured, ii. user selects feature, MR button activates, iii. if feature is already configured √ ability is disabled, iv. display is AutoDevOps is configured, v. case when existing configuration MR is in progress, vi. includes subtext info of scan |
Next steps in-progress:
-
create research issues: ux-research#359 (closed) and ux-research#360 (closed) -
create a prototype for testing: see here -
conduct user testing -
review findings and iterate
iteration 3 feedback summary
- User may select one or more scans. Use design pattern that allows user to select multiple at one time. Then multiple pipelines won’t be created (or MR creation as being ideated)
- Work through the following flow concept:
- user: selects “configuration” section from left nav
- user: lands on configuration page
- user: select to activate one or more scans
- user: clicks “Create merge request”
- system: update or create gitlab-ci.yml file
- system: add the selected template(s) to .gitlab-ci.yml file (default branch only)
- system: commit changes
- system: triggers pipeline
- system: create an MR with changes
- user: lands on the MR page for review and edits
- user: review changes and can make edits
- user: user merges MR
- As an MVC: add script to default branch only. UX needs to make user aware of only being in the master.
- Consider the idea of leveraging the environment variables, per @stkerr
- Located in configuration section https://gitlab.com/gitlab-org/gitlab-ee/issues/13638, in previous user research: most users expected security configuration options in this section (https://gitlab.com/gitlab-org/ux-research/issues/277)
- Separate consideration: as Secure settings grow, we can consider adding relevant settings to the new section (similar issue across stages: https://gitlab.com/gitlab-org/gitlab-ce/issues/66034).
- User √ icon to signal added items vs disabled checkbox
iteration 2
| i. info architecture | ii. no feature activated | iii. some activated | iv. already activated with Auto DevOps | v. additional documentation to guide user |
|---|---|---|---|---|
 |
 |
 |
 |
 |
iteration 1
Configuration section
| i. no features configured | ii. some features configured | iii. Auto DevOps activated | iv. without Auto DevOps |
|---|---|---|---|
 |
 |
 |
 |
Discovery conclusion
The proposal was validated in ux-research#359 (closed), where we found 5 of 5 users successfully configured a scan when given the task. This is an improvement from 1 of 5 in the previous study https://gitlab.com/gitlab-org/ux-research/issues/277. Below includes the implementation issue and the next steps.
Implementation issue for MR configuration flow #34771 (closed)
- Recommend this for %12.6, as it's a follow up to #13638 (closed)
- This issues is UX solution validation
- Status: some minor UI polish is needed, per the user feedback and visual design needs. Otherwise, the core concept flow remains the same.
Implementation issue for configuration to any branch #34886 (closed)
- Follow up to #34771 (closed)
- Allows user to configure security scans to any branch
Follow up discovery #34773 (closed)
- Focus on user awareness (of what scans and where are configured) and ability to add scan templates to any branches (when needed). Also, consider/ideate on how we can get closer to out of box UX for Secure configuration.
- Related issue: #33160 (closed)
Follow up validation issue ux-research#492 (closed)
- Added to %12.6 @tali
- This issue is a placeholder to research the findings of the next step discovery issue above #34773 (closed)
UX Scorecard issues
- @cam.x will be completing Secure feature configuration UX Scorecard review (formerly known as baseline experience)
- Issues: ux-research#484 (closed), #34368 (closed), and #34369 (closed).
- This will formally document existing configuration UX and provide additional feedback/recommendations for improvement
Edited by Kyle Mann