Skip to content

Improve workflow consistency when enabling a security tool

Recommendation from Secure - Audit of scanner configuration UI

Problem to Solve

The workflows for enabling security scanners in GitLab are not consistent (ultimate users). How we might align the configuration workflows to be more consistent? Improving consistency should promote learnability and efficiency of use.

Insight

  • 3 of 8 scanners can be enabled via auto-generated MR
    • 1 of those 3 (SAST) provides configuration options within the UI prior to generating the MR.
  • 5 of 8 scanners must be enabled by editing the CI file
    • 2 of those 5 (DAST & API Fuzzing) provide configuration options within the UI and assist users by generated a code snippet based on their chosen configuration. The code snippet must be manually added to the CI file to enable scanning

Considering the 2 points above, it's possible for a user to configure 4 security scanners and encounter a different experience EVERY TIME. The image below illustrates a simplified chart of the 4 possible workflows:

secure-scannerConfig-workflows

Additional information

The proposal should consider the following 3 configuration-related job statements:

  1. When I am configuring a CI/CD security scan, I want to specify which assets need to be scanned and under which circumstances, So that I can ensure my assets are secure prior to or at their release.
  2. When I am configuring a security scan, I want to specify which types of vulnerabilities the scan should detect, So that we don't waste time sorting through irrelevant findings.
  3. When I am either enabling or configuring a security scan, I want to run a demo scan, So that I can validate my configuration before it is implemented

Proposal

To be determined...