SAST Configuration UI: MVC Design

Overview

This issue defines the MVC design for the SAST Configuration UI, building off the conversations and designs in the previous UX Discovery issue.

Personas

• Sasha, Software Developer
• Sam, Security Analyst

Success Criteria

• User can get to the SAST Configuration UI page from the Enable button on the Configuration page
• User can configure at least some variables of the SAST template from within the UI, and create an MR to commit changes
• User can click on View History link (if SAST is enabled) to see the git blame for the SAST .yml file

JTBD

• When I'm enabling SAST, I want the ability to do so from within the UI so that I don't have to read a lot of documentation and go through several tedious steps to get it setup.

• When I'm not getting the results I'd like to see from my SAST scanner, I want the ability configure the variables so that I get the most value from it and subsequently, from GitLab.

• When something goes wrong with my SAST jobs, I want to be able to see who made changes to the SAST .yml file and when so that we can figure out how to get the jobs working properly.

Design proposal

Secure & Defend Configuration Page

Info	Design
SAST not enabled. Enable button links to SAST Configuration UI page.
SAST enabled. View history link goes to the git blame page for the SAST template. Customize button goes to the SAST Configuration UI page.

SAST Configuration UI

Configuration UI with dynamic Restore to default link

• Form is editable by default
• If user changes a variable (in the example below, image prefix was changed by the user), text underneath the text input responds dynamically by warning them that template updates will not apply to this variable, with a text link to Restore to default.
• Variables need to look like they are pre-populated with text but the backend would need to save these as null unless the user changed a variable, thereby creating an override.
• Read more text link in description goes to https://docs.gitlab.com/ee/user/application_security/sast/#configuration
• "?" icon next to SAST Analyzers goes to https://docs.gitlab.com/ee/user/application_security/sast/#supported-languages-and-frameworks

Default (no variables changed)	User changed the image prefix field (note help text below field)

User clicked on View analyzers button (Analyzer section expanded)