Explore how we might introduce the high-level concepts of application security and how it works at GitLab throughout the UI and/or documentation
Recommendation from Secure - Audit of scanner configuration UI
Problem to solve
The high-level concepts about application security and how it works within GitLab aren't really explained in the UI, so users are left to make assumptions. Incorporating this information into the UI and documentation could make application security more approachable for users who aren't familiar.
Insights
- The fact that security scans run as pipeline jobs is not explicitly mentioned anywhere in the UI. Not knowing about this association could lead to confusion when configuring or running a scan.
- It's not mentioned in the UI that enabling a security scan requires adding it to the project's CI/CD pipeline
- The descriptions of the various scan types are all very similar. Users who are unfamiliar with application security testing tools may have a difficult time trying to decipher the difference between them.
- The main security configuration page, for example, makes a lot of assumptions about a user's understanding of security scanning and GitLab as a whole.
Proposal considerations:
- How might we introduce the high-level concepts using concise UI copy? For example:
- Security scans run automatically as part of your projects pipeline and can be run manually using on-demand scans
- Enabling an automatic security scan requires added it to your projects CI file
- How might we update the description of security tools so its easier for inexperienced users to determine which scanner to run when
- Scanner descriptions can be sprinkled across the configuration workflow. For example, introduce the scanner on the
Security configurationpage, and explain more about how it works on thescanner configurationpage (when applicable)
- Scanner descriptions can be sprinkled across the configuration workflow. For example, introduce the scanner on the
Proposal
To be determined...