Design: Security Configuration UI Vision

Problem to solve

The Security Configuration interface has undergone significant changes and expansion in recent years. These changes have led to challenges in effectively accommodating all features within the current design. The project-level Security Configuration page is experiencing various user experience issues due to these changes. Additionally, there is a growing demand for configuration options at the group level. There's an opportunity to approach security configuration more holistically to create a scalable solution for the future.

Feedback & design considerations
The following feedback and design considerations should help guide the development of the next iteration of Security Configuration.

• We should consider updating the layout of the security configuration page to align with GitLab's updated guidance for single-column layouts on settings-related pages (reference).
• The current random ordering of tools on the security configuration page, coupled with its growing size, makes it challenging for users to find relevant security tools. How can we improve tool discoverability and user onboarding?
  • Consider implementing sorting or search features.
  • Provide suggestions such as "essential" or "advanced" to help users decide what to enable.
  • Make recommendations based on standard practices or their usage of GitLab.
• CI/CD security tools require a merge request for activation, while others like Pre-receive Secret Detection need to be turned on in the UI directly. How can we clearly distinguish between these enablement methods?
  • We might consider enhancing consistency by grouping cards that lead to documentation ("learn more" and "configuration guide") separately from those that initiate in-app flows ("enable button").
• Some tools (e.g., Pre-receive Secret Detection and Pipeline Secret Detection) are related but operate differently. How can we better associate these tools without implying interdependence?
• We should review the accuracy of security testing tools' statuses displayed on the configuration page, as they may be misleading due to factors like enforced policies or settings managed outside the configuration page.
• There's a need to introduce a group-level page for security configuration (relevant discussion).
  • Dig into this to understand why it's "group-level" to ensure we're at the optimal highest level we can be to achieve user's goals (Instance > Namespaces > Groups > Projects)

Note: Detailed feedback and insights influencing this issue can be found in discussions on this page design: #451559 (closed)Secret_detection_-pre-receive_scanning-_project-level_configuration.png

Proposal

Design assets

• 🎥 Design Vision Walkthrough
• 🎨 Design file
• 🕹️ Project-level prototype
• 🕹️ Group-level prototype

Summary of proposed changes

Create page template for tool configuration:

• New UI Pages: Develop dedicated pages for managing tool configuration options via UI at both the project and group levels.
• Revise workflow for accessing scanner configuration: Establish a new design pattern for accessing security tool configuration parameters in the UI.

Introduce Group-Level Security Configuration:

• New Group-Level Page: Create a group-level security configuration page based on the design patterns used for project-level security configuration. This will provide a seamless and familiar interface for managing security tools at both levels.
• WIP Leveraging Scan Execution Policies (SEP): For enabling scanners at the group level, consider using SEP instead of direct enablement through the security configuration page. SEP offers more granular control for managing project-level enablement.
• WIP. Scanner Status Display: The group-level security configuration page should indicate if a scanner is enabled via SEP and list the projects where the scan is enabled.
• WIP Policy Management Integration: The security configuration page should direct users to create and manage SEP to enable scanners.
• Tool Configuration Access: Ensure that the configuration for security tools is accessible from the group-level security configuration page.

Support Cascading Configuration:

• Group-Level Cascading: Implement cascading configuration settings from the group level to streamline and simplify security management across multiple projects.

Additional details to be added...