How to improve the experience when Core users are using SAST

Problem Statement

Background: All security features used to be for Ultimate User only. This epic: Gitlab will start to bring SAST to Core Users.

According to the epic, the following features (Table 1) and JTBD (Table 2) will be for different user tiers.

Next step Before we decide what experience we should improve for Core User, we need to first find out what are their Basic Needs to use SAST properly and what feature(s) they could consider as "pay-for-feature".

Details please see Table-2. A separate research issue will be created.

Capability	In Core	In Ultimate
Configure SAST Scanners	Yes	Yes
2.Customize SAST Settings (Overrides, Available Variables, Filters, Timeouts, Settings )	Yes	Yes
View/Download JSON Report	Yes	Yes
Presentation of JSON Report in Merge Request	No	Yes
Interaction with Vulnerabilities	No	Yes
Congifuration in UI	Yes, after it is available	Yes

User need	Core experience	Ultimate experience	Question to confirmed with user research
As a user I would like to know there are security scans I can use without being annoyed	Core user will find out by reading product update, email, website feature page	Ultimate user can see it in UI, there is a security tab. Discover usability from UI	Is read email/update enough for core user to find out this feature?
As a user I would like to configure the security scan need (editing *.yml file)	Core user need to follow documentation to manually set it up	Same with core user experience	For Core user How much value SAST will bring, does it worth the effort to configure it?
As a user I would like to configure the security scan need (Just using UI)	In planning (issue)	In planning (issue)
As a user I would like to enable security scans without configuration	Not available yet	Not available yet
As a user, I can set certain approvers for security scan result	Not available	After issue implementation, if the user goes to settings, user would notice this and start using this feature.	How important is this JTBD, should this be available for Core users; would user prefer to have this in Secure Configuration Page?
As a user, when I have an MR, I see that there is a scan result (JSON format), so that I can download and see the results	User can download the JSON report from a list of artifacts of MR result	Same with core user experience	Is this a good enough/useful feature for Core user how many of them will actually use it, download JSON, parse it and then read separately?
As a user, when I have an MR with scan result, I see the vulnerability with easy to read format	Not available	User see each finding as one-line summary
As a user, when I see vulnerability in MR, I can go to see more details	Not available	User could expand the vulnerability or go to see full report as a separate page
As a user, when I see vulnerability in MR, I can create an issue/assign/dismiss it	Not available	User need to go to full report first if they want to interact with the findings
As a user, I can see all security findings in one single dashboard view	Not available	User need to go to  either "group" or "project" level dashboard and check it there.
As a user, I can interact with security findings in dashboard	Not available
As a Core user I would like to know what other scans I might use if I upgrade my account	Not available	No need	Do core users have interest in this. If yes, what is the preferred way to get noticed?
As a Core user I would like to know what other security-related feature to help me view SAST result better, such as dashboard, view finding directly in MR, interact with MR	Not available	No need	Do core users has interest in this. If yes, what is the preferred way to get noticed?
As a Core user I would like to try out the Ultimate user feature before I upgrade	Not available	No need	Would this be useful for Core User when they try to make decision about upgrade

Reach

Impact

Confidence

Effort