UX Discovery: SAST Configuration UI

Overview

As part of getting SAST to Complete, we want to enable users to configure SAST in the UI.

Questions to answer:

• What settings do customers want to edit?
• Do we want to encourage customers to configure SAST in a particular way? Do we want to consider limiting the configuration, e.g. within our recommendations to avoid potential consequences? (Free form customization vs giving users a framework to configure within.) Or how might we offer guidance or logic checks based on their input?
• How might we allow for "rule packs", offered by customers and/or the community?
• How might we create an intuitive user flow and information architecture for this?
• How might we build a framework that supports a future of analyzer-specific configuration later on?

This issue sets the stage for custom rules at a later date.

Personas

• Sasha, Software Developer
• Sam, Security Analyst

Success Criteria

• User can easily enable SAST from within the UI (without instructions in the docs)
• User can configure at least some variables of the SAST template from within the UI

JTBD

• When I'm enabling SAST, I want the ability to do so from within the UI so that I don't have to read a lot of documentation and go through several tedious steps to get it setup.

• When I'm enabling SAST, I want the ability to configure the analyzers in a way that works best for our org, so that we don't waste any time sorting through invaluable vulnerability findings.

To Dos

• SAST & Secrets: Competitive Analysis(ongoing)
• Week of Design Jams w/ @tmccaslin (May 11-15th): WIP Mural
• Wireframes
• Prototype V1: https://invis.io/C7XA8FA96QT#/417587515_Config_Page_Version_Part_2
• Collect feedback from Secure & Defend designers and Static Analysis engineering team
• Design iterations
• Collect feedback
• Ready for dev

Future:

• User testing

Design proposals

Listed in order of UX preference:

V1: Configuration UI with dynamic Restore to default link

• Form is editable by default
• If user changes a variable, text underneath the text input responds dynamically by warning them that template updates will not apply to this variable, with a text link to Restore to default.
• Variables need to look like they are pre-populated with text but the backend would need to save these as null unless the user changed a variable, thereby creating an override.

V2: Configuration UI with dropdowns

• Encourages enabling the SAST template without configuration
• Provides a warning in the dropdown that any overrides will not be given automatic updates
• Defaults to Use default settings where the variables are disabled
• In edit mode (Use custom settings), variables need to look like they are pre-populated with text but the backend would need to save these as null unless the user changed a variable, thereby creating an override.

V3: Read-only Configuration UI page

• Optimizes for enabling SAST, while also giving guidance on variables they can change in the SAST .yml template from the Merge Request page in the following step

V4: No Configuration UI page

• Adds Enable via Merge Request button to Configuration page
• Optimizes for enabling SAST only