Skip to content

UX Audit: Dependency scanning configuration UI

️ Summary

As part of Secure: Scan Configuration Evaluation, we are performing an audit of the states and UI patterns for every security scanner with a configuration interface. The goal of the audit is to identify patterns and inconsistencies and create recommendations focused on improving consistency and learnability between the scanners. This issue is to track and document findings for Dependency Scanning configuration.

The parent issue that documents all scanners being audited is linked below:
👉 #340334 (closed)

📋 Plan

  • Identify relevant JTBD
  • Evaluate the configuration process and document existing workflows (user flows)
  • Capture screenshots of the configuration interface including all possible states
  • Review any new or upcoming configuration changes for SAST and note anything that deviates from the audit findings and/or adjust findings accordingly
  • Document findings in an easy to digest way

💼 JTBD

  1. When I am configuring a CI/CD security scan, I want to specify which assets need to be scanned and under which circumstances, So that I can ensure my assets are secure prior to or at their release.
  2. When I am configuring a security scan, I want to specify which types of vulnerabilities the scan should detect, So that we don't waste time sorting through irrelevant findings.
  3. When I am either enabling or configuring a security scan, I want to run a demo scan, So that I can validate my configuration before it is implemented

📷 Screenshots

See design section below

🚶 Workflow

🎨 FigJam File image

📄 Relevant issues

No issues were found related to dependency scanning configuration

💡 Findings

Does the Dependency Scanning configuration UI Address the JTBD(s)?

0 of 3 JTBD can be addressed using the Dependency Scanning configuration UI

  1. 𐄂 JTBD 1 cannot be accomplished using the UI. Dependency scanning does allow for path exclusions (via the DS_EXCLUDED_PATHS variable), but this is not exposed in the UI
  2. 𐄂 JTBD 2 cannot be accomplished using the UI. Changes to the default dependency scanning package must be configured using CI/CD variables within the .gitlab-ci.yml file
  3. 𐄂 JTBD 3 is not directly addressed within the dependency scanning configuration flow. There is no way to run a "demo" scan to validate the configuration from the UI.

Findings unique to Dependency Scanning

None

Findings shared with Secret Detection

  1. Enabling dependency scanning is a quick and simple process. There is no configuration required
  2. A .gitlab-ci.yml file is automatically created and/or updated for users when enabling Dependency Scanning

Findings shared with other scanners

  1. Much like SAST and all other scanners, the end of the configuration process (merging code to enable the feature) doesn't do a great job assuring users that the scanner is properly enabled. The change in system status is not easily discovered.
  2. Not all configuration options are exposed in the UI
    1. Dependency scanning has a number of configuration options available, but they are not configurable via the UI.
Edited by Michael Fangman