UX Discovery: SAST Configuration UI
Overview
As part of getting SAST to Complete, we want to enable users to configure SAST in the UI.
Questions to answer:
- What settings do customers want to edit?
- Do we want to encourage customers to configure SAST in a particular way? Do we want to consider limiting the configuration, e.g. within our recommendations to avoid potential consequences? (Free form customization vs giving users a framework to configure within.) Or how might we offer guidance or logic checks based on their input?
- How might we allow for "rule packs", offered by customers and/or the community?
- How might we create an intuitive user flow and information architecture for this?
- How might we build a framework that supports a future of analyzer-specific configuration later on?
This issue sets the stage for custom rules at a later date.
Personas
Success Criteria
- User can easily enable SAST from within the UI (without instructions in the docs)
- User can configure at least some variables of the SAST template from within the UI
JTBD
-
When I'm enabling SAST, I want the ability to do so from within the UI so that I don't have to read a lot of documentation and go through several tedious steps to get it setup.
-
When I'm enabling SAST, I want the ability to configure the analyzers in a way that works best for our org, so that we don't waste any time sorting through invaluable vulnerability findings.
To Dos
-
SAST & Secrets: Competitive Analysis(ongoing) -
Week of Design Jams w/ @tmccaslin (May 11-15th): WIP Mural -
Wireframes -
Prototype V1: https://invis.io/C7XA8FA96QT#/417587515_Config_Page_Version_Part_2 -
Collect feedback from Secure & Defend designers and Static Analysis engineering team -
Design iterations -
Collect feedback -
Ready for dev
Future:
-
User testing
Design proposals
Listed in order of UX preference:
Restore to default
link
V1: Configuration UI with dynamic - Form is editable by default
- If user changes a variable, text underneath the text input responds dynamically by warning them that template updates will not apply to this variable, with a text link to
Restore to default
. - Variables need to look like they are pre-populated with text but the backend would need to save these as null unless the user changed a variable, thereby creating an override.
V2: Configuration UI with dropdowns
- Encourages enabling the SAST template without configuration
- Provides a warning in the dropdown that any overrides will not be given automatic updates
- Defaults to
Use default settings
where the variables are disabled - In edit mode (
Use custom settings
), variables need to look like they are pre-populated with text but the backend would need to save these as null unless the user changed a variable, thereby creating an override.
V3: Read-only Configuration UI page
- Optimizes for enabling SAST, while also giving guidance on variables they can change in the SAST .yml template from the Merge Request page in the following step
V4: No Configuration UI page
- Adds
Enable via Merge Request
button to Configuration page - Optimizes for enabling SAST only
Edited by Becka Lippert