Software composition analysis group scanners configuration in UI

Problem to solve

Users are unable to configure a security scan feature directly in the UI.

Context: In &1784 (closed) study, only 1 of 5 users were able to properly configure a security scan when given the task. We found that users navigated to the left nav security section with ease; however were disappointed when arriving to this section and not finding a "on/off" switch. This discovery: #13646 (closed) produced a workflow to enable a user to configure security scans directly from the UI. This workflow was validated in ux-research#359 (closed), where we saw 5 of 5 participants successfully configure a scan.

Related individual group UIs

SAST - #216635 (closed) DAST - #216610 (closed)

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Devon (DevOps Engineer)
• Sam (Security Analyst)

Further details

Jobs to be done:

When I want to configure my security tools, I want to be able to configure them to address my own business risk policies, so that I can be assured my company is monitoring risk based on our business risk policies.

When I want to implement security tools, I want to be able to install them easily and know they are working properly, so that I can be reassured my company is managing and monitoring risk.

Future iterations:

As an MVC, the configurations directly from UI would apply to the default branch (note: any feature branches created after will include configured scans). Related: the security dashboard only shows results from the default branch. This issue #33160 (closed) looks to improve this by allowing user to view data from feature branches.

Proposal

Allow users to create a merge request that adds security scan(s) template to the gitlab-ci.yml (default branch only). This task completed in the configuration section https://gitlab.com/gitlab-org/gitlab-ee/issues/13638.

• If user selects License Compliance and/or Dependency Scanning the related template(s) are committed and merge request created.
• If the user selects Container Scanning athe related template(s) are committed (Container scanning confirmation of variables: IMAGE_TAG: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_REF_SHA). The merge request created with WIP status and committ has skip ci - this to make the user aware that additional configuration is required.

Permissions and Security

The configuration UI would be visible to maintainers/owners; developers would see the status screen https://gitlab.com/gitlab-org/gitlab-ee/issues/13638

Documentation

..

Testing

..

What does success look like, and how can we measure that?

• User navigates to section (when tasked with setting up scans) and better understand how to configure the scans
• The documentation links are clear and helps guide users to set up security scans\
• User successfully adds respective template per merge request flow
• User understands that this UI applies only to the default branch.

=> Related research study

What is the type of buyer?

~Ultimate

Links / references

• MVC prerequisite issue: #13638 (closed)\
• Related issue that identifies security jobs in pipeline: !17568 (merged)
• Solution validation: https://docs.google.com/presentation/d/1blpG78sBTNYcFyP1DH4gNjmJSB8SGm4xMgVtOe9UXLo/edit?usp=sharing