Conduct research to understand user expectations when enabling a security scanner

Insight

Users do not expect to create a merge request to enable DAST CI/CD scanning.

Supporting evidence

During a solution validation study evaluating DAST CI/CD configuration, participants were not really sure what will happen after selecting the “merge changes” button. Only a fraction of the participant’s expectations were in line with reality (creating an MR) and no one’s expectations were exactly right. Most participants expected the changes would be saved and applied immediately.

60% of participants (3/5) did not expect to see the “new merge request” page after selecting the “merge changes” action.

🕊 Dovetail insight

User quotes:

I don't know the relationship between the enable DAST [configuration page] and creating a merge for that. I don't think I can see the necessity to create a merge request to enable the feature. So that is not what I was expecting. Not at all

...it wasn't really what I was expecting, but I was thinking since I clicked [merge changes] it was already saved.

Action

Conduct further research to identify if the problem is a result of the UI itself (such as the button text) or if it stems from a disconnect with a user’s mental model.

Note: This research initiative could include all of the various actions we use to configure and enable a security tool in GitLab. What do users expect? What is the correct language and workflow? etc.

Resources

• 🕊 Dovetail project
• 🔍 Research issue 1
• 🔍 Research issue 1

Tasks

• Assign this issue to the appropriate Product Manager, Product Designer, or UX Researcher.
• Add the appropriate Group (such as ~"group::source code") label to the issue. This helps identify and track actionable insights at the group level.
• Link this issue back to the original research issue in the GitLab UX Research project and the Dovetail project.
• Adjust confidentiality of this issue if applicable