Static Code Scanning for SCM users not using Verify
Problem to solve
GitLab users taking advantage of Source Control Management but not Verify or Secure stage categories could be missing out on static analysis capabilities that do not require compiling source code and result in lower quality or less secure projects.
Intended users
- Delaney (Development Team Lead) - who wants the team to take advantage of code quality so they create easier to maintain code
- Alex (Security Operations Engineer) - Who wants the team to do secret scanning and security analysis as soon as possible after code is written to reduce vulnerabilities.
User experience goal
Users who do not have build pipelines but want to get static code and security analysis with merge requests OR at scheduled times can quickly enable these features so they can get analysis and build more secure and readable code.
Proposal
~~An MVC approach may just be an example gitlab-ci.yml file that includes only the code-quality template and eventually a new selectable template that adds the file along with enabling the devopssecure categories as well.~~ **Update**: There is already a Code-Quality template as well as SAST, DAST, Web Performance and Accessibility templates in the drop down.
Run an A/B test to add language to the Repo page if there is no .gilab-ci.yml and measure adoption / pipelines ran.
Hypothesis
If we add a CTA to the repo page of projects that do not have a .gitlab-ci.yml file to add static analysis >= 5% of those users will add a template after seeing the message.
Test ideas
1. Use in app messaging Add a message to the page that has language around code quality being available as a template with a single job and some benefit (@parker_ennis do we have some testimonials we could use here maybe?).
- When a user clicks a button like "Add Code Quality to my repo" they will go to the new file view with the code quality button preselected/file populated and a commit message "Add Code Quality scanning to repository".
- For measurement capture page views of message shown/not shown, clicks for pages shown and repos that saw the message and ran a pipeline after the view.
2. Add a button
- Create an A/B test to put the new button on ~ 10% of repository pages on gitlab.com that do not have a .gitlab-ci.yml. There is already logic for this based on the behavior of the "Setup CI/CD button"). (see idea below, just a starting point, this needs UX)
- When a user clicks on the button they will go to the new file view with the code quality button preselected/file populated and a commit message "Add Code Quality scanning to repository".
- For measurement capture page views of button shown/not shown, button clicks for pages shown and repos that saw the button and ran a pipeline after the view.
Further details
The main benefit of this to the user is taking advantage of a soon to be GitLab Core feature in Category:Code Quality that provides visibility into maintenance/readability issues in their code base.
The benefit to GitLab is this adds a stage for the user and exposes them to other features that can be utilized within the devopsverify stage.
Permissions and Security
Documentation
Availability & Testing
What does success look like, and how can we measure that?
See Tests in the Proposal section