Design: Display approval rules on security configuration page UI
Problem to solve
Context: Vulnerability-Check
and License-Check
approval rules are not currently displayed in the UI by default. This issue is about surfacing the rules by default in the approvals section: #31922 (closed) and this issue #36829 (closed) decouples the override options from checks.
Problem: 1) proper configuration is a prerequisite to the checks being useful (so even if they are shown be default will need to explicit in UI), 2) if the check is active it is only seen in the merge request (user may not be aware that check is in place).
Intended users
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sam (Security Analyst)
- Allison (Application Ops)
Further details
This aims to help users better understand how their project's security is setup. Configuration page shows whether a scan is enabled and #13298 (closed) will show scanning across projects. This will display at the project level rules/checks applied to issue (follow up: to display at group/instance what checks are in place).
Proposal ideation
Display rule status on/off (Vulnerability-Check
and License-Check
) and allow users to set up
enable` and/or edit, on the configuration page. Will include outcome from #214712 (closed)
Notes:
backend please verify you don't need to do anything
frontend please check if this current proposal can be done without duplicating code - i wouldn't want them to get out of sync. if this means we need to create an issue to refactor or do other prep-work that is OK. also if we need to tweak the design to closer mimic/mirror the settings page we can talk to UX about that.
Permissions and Security
Documentation
...
Availability & Testing
SET should update any existing security configuration end to end test, or add if none already exist.
What does success look like, and how can we measure that?
- Does the features visibility help improve adoption?
- Is setting up the security checks usability improved?
- For the user accountable for security, does the status help them with awareness/understanding of how the project security is setup?
What is the type of buyer?
PM Notes
An OKR is to make sure everything is pajamas, can we make sure to use pajamas and if pajamas doesn't have a pattern for what we are adding, contribute one? this may make this a heavier weight but as an OKR it's a high priority.