Remove SAST analyzer configuration UI
Problem to solve
The current SAST Analyzers
configuration options available on the SAST Configuration page are confusing and prone to errors. This can potentially lead to uncaught security vulnerabilities or increased maintenance burdens for users. Moreover, this feature only caters to a small subset of users since most projects don't need to alter the default analyzer configuration.
A recent study involving 18 participants who were asked to configure GitLab's SAST tool using the UI revealed significant user errors in the SAST Analyzers
configuration section. The errors stemmed from a lack of clarity in the configuration options, making it difficult to select the correct analyzers. For more details on the specific problems encountered, please refer to this issue: Improve usability of SAST analyzer configuratio... (#390421 - closed).
Intended users
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Sam (Security Analyst)
- Alex (Security Operations Engineer)
Proposal
To simplify the SAST configuration process and improve the user experience, we should consider removing the SAST Analyzers
UI from the configuration page. Since this change may impact existing users who have already configured their analyzers, it may be beneficial to communicate this change in the UI. The communication should provide clear instructions on alternative ways to configure SAST analyzers and reassure users that their current configuration will remain unchanged.
Please refer to the design section of this issue for an example of how this change might be communicated on the SAST configuration page. Documentation changes should also be considered.