Security Widget (MR): Alert notice of Security Approver functionality
Security Widget (MR): User confusion between a job failing / succeeding & vulns found
Success criteria
- MR Widget receives a new alert notice promoting the Security Approvers functionality.
- Will show up on any MR without security approvers setup
- If Security approvers are setup, don't show the alert
- Instance level dismiss. When you dismiss, local storage is updated to hide it for you, for the whole instance.
—————————————
Problem to solve
@tlavi conducted SAST research with participants which revealed that users are confused by a job failing or succeeding and the relationship to vulnerabilities being found within it. For example, it's confusing if a job succeeds even though there are vulnerabilities found within. See the video of the research readout here and the slides here.
Intended users
Proposal
-
Surface the critical and high vulnerabilities in the security widget in the MR with corresponding colors (red for critical, orange for high)[see issue #216140 (closed)] -
Include a one-time tip alert onto the bottom of this security widget highlighting and explaining security approvals as an available feature
Permissions and Security
- We are intentionally show this to everyone, and are NOT limiting it to people who can setup Security Approvers. This is about awareness.
- If easily possible: If Security approvers are setup, don't show the alert
- Instance level dismiss. When you dismiss, local storage is updated to hide it for you, for the whole instance.
We are not exposing the setting to turn this on, so there should be no concern about security/permission leaks.