Skip to content

UX Audit: Secret detection configuration UI

️ Summary

As part of Secure: Scan Configuration Evaluation, we are performing an audit of the states and UI patterns for every security scanner with a configuration interface. The goal of the audit is to identify patterns and inconsistencies and create recommendations focused on improving consistency and learnability between the scanners. This issue is to track and document findings for Secret Detection configuration.

The parent issue that documents all scanners being audited is linked below:
👉 #340334 (closed)

📋 Plan

  • Identify relevant JTBD
  • Evaluate the configuration process and document existing workflows (user flows)
  • Capture screenshots of the configuration interface including all possible states
  • Review any new or upcoming configuration changes for secret detection and note anything that deviates from the audit findings and/or adjust findings accordingly
  • Document findings in an easy to digest way

📷 Screenshots

See design section below

💼 JTBD

  1. When I am configuring a CI/CD security scan, I want to specify which assets need to be scanned and under which circumstances, So that I can ensure my assets are secure prior to or at their release.
  2. When I am configuring a security scan, I want to specify which types of vulnerabilities (secrets) the scan should detect, So that we don't waste time sorting through irrelevant findings.
  3. When I am either enabling or configuring a security scan, I want to run a demo scan, So that I can validate my configuration before it is implemented

🚶 Workflow

🎨 FigJam File image

📄 Relevant issues

No issues were found related to secret detection configuration

💡 Findings

Does the Secret Detection configuration UI address the JTBD(s)?

0 of 3 JTBD can be addressed using the Secret Detection configuration UI

  1. 𐄂 JTBD 1 cannot be accomplished using the UI. Secret detection does allow for path exclusions (via the SECRET_DETECTION_EXCLUDED_PATHS variable), but this is not exposed in the UI
  2. 𐄂 JTBD 2 cannot be accomplished using the UI. Changes to the default Secret Detection ruleset must be configured elsewhere and is a relatively manual process.
  3. 𐄂 JTBD 3 is not directly addressed within the secret detection configuration flow. There is no way to run a "demo" scan to validate the configuration from the UI.

Findings unique to Secret Detection

None

Findings shared with Dependency Scanning

  1. Enabling secret detection is a quick and simple process. There is no configuration required
  2. A .gitlab-ci.yml file is automatically created and/or updated for users when enabling secret detection

Findings shared with other scanners

  1. Much like SAST and all other scanners, the end of the configuration process (merging code to enable the feature) doesn't do a great job assuring users that the scanner is properly enabled. The change in system status is not easily discovered.
  2. Not all configuration options are exposed in the UI
    1. Secret detection has a few configuration options available, but they are not configurable via the UI.
Edited by Michael Fangman