Add security features into the nav
Problem to solve
Security features exist in different places within the application and while this makes sense to keep some features where they are with respect to the users' needs, we still need a central location for core security features especially as we plan on adding new features and enhancing others.
Information Architecture Today
Users
CISO, Security Director, Security Team Lead,
Security Analyst: Persona: Security Analyst
DevOps Engineer: Persona: DevOps Engineer
Dev Team Lead Persona: Development Team Lead
User Approach
User stories
| User | Story | Target navigation area |
|---|---|---|
| As a CISO or Security Director | I want a place where I can monitor my organization's security status and other important metrics, so I can respond to issues if they arise. | Instance / Security Dashboard / Overview Metrics |
| - | I want a place where I can monitor my team's progress, so I can make sure they are focused on the highest priority or most important issues. | Instance / Security Dashboard / Overview Metrics |
| - | I want a place where I can create and download a report, so I can present my teams progress and the security status of the organization | Instance / Reports / Download Report |
| User | Story | Target navigation area |
|---|---|---|
| As a Security Analyst | I want a place where I can find all of the vulnerabilities for my organization, so I can take the necessary action on them from one place and not have to go to different locations to manage them. | Instance / Security Dashboard / Vulnerability List |
| - | I want to monitor the remediation status of vulnerabilities that are at various stages of the remediation process, so that I can respond quickly if errors occur. | Instance / Auto-remediation, or Project / Auto-remediation |
More stories TBD
Information Architecture Proposal
| Project level | Group level | Instance level |
|---|---|---|
 |
 |
 |
Proposed feature locations
Project Level
| Feature | Status | Location |
|---|---|---|
| MR security Widget | Viable | Remains in place |
| Pipeline Security Report | Viable | Remains in place |
| Project Security Dashboard | Viable | Project / Security / Vulnerabilities (TBD: presented as vuln list |
| License Management | Viable | Project / Security / License Compliance |
| Auto-remediate tracking (project level) | Concepting | Project / Security / Auto-Remediate |
| Tool configuration and onboarding | Concepting | Project / Security / Tool Configuration |
| Slack integration | Concepting | Project / Security / Settings |
| HackerOne integration | Concepting | Project / Security / Settings |
| License Management status in project home | Concepting | Project / Security / Overview |
Group Level
| Feature | Status | Location |
|---|---|---|
| Group Level Dashboard | Viable | Group / Security / Vulnerabilities (TBD: Presented w/o chart) |
| Group Auto-Remediate tracking | Concepting | Group / Security / Auto-Remediate / Status |
| Group Auto-Remediate settings | Concepting | Group / Security / Auto-Remediate / Settings |
| Group License Management (compliance) | Planned 12.x | Group / Security / License Compliance |
| Pipeline Status | TBD | Group / Security / CI/CD |
| Environment Status Similar issue | TBD | Group / Security / CI/CD |
| Group level 3rd party integrations like | Concepting | Group / Security / Settings |
| Group level email notification | Concepting | Group / Security / Settings |
Instance Level
| Feature | Status | Location |
|---|---|---|
| Instance Level Dashboard | In Consideration | Instance / Security / Dashboard |
| Overview Mertics | Concepting | Instance / Security / Dashboard |
| Dashboard settings and configuration idea part of a broader effort for a custom dashboard | Concepting | Instance / Security / Dashboard / Dashboard Settings |
| Dashboard Report related idea | concepting | Instance / Security / Dashboard / Dashboard Report |
| Vulnerability Database | TBD | Instance / Security / Vulnerability Database |
| Global Whitelisting | Concepting | Instance / Security / Global Whitelisting |
| SLA Settings Epic link | Concepting | Instance / Security / SLA Settings |
| Permissions similar issue also consider role settings as well | Concepting | Instance / Security / Permissions |
Wireframes
| Project level | Group level | Instance level |
|---|---|---|
 |
 |
 |
MVC
Scope:
We are going to take what we have today, and planned to release in June and use this as a foundation to begin building the navigation section for secure.
| Project Level | Group Level |
|---|---|
| Security Dashboard | Security Dashboard |
| Dependency List (June Release) | - |
| License Compliance (moved from settings) | - |
Project Details:
At the project level, we will name the nav section Security & Compliance since we have features for both available.
- If a user selects the top-level item instead of using the flyout with the Secure nav area, they will be taken to the project level security dashboard by default.
Group Details:
We only have one feature today -the Group level security dashboard- to nest into the navigation so this area will be named Security for the time being. Once we add Group level license compliance, we will change the name to Security and Compliance
Information architecture
Designs
Project level
| Project level nav details |
|---|
 |
| Project level default page |
|---|
 |
Group level
| Group level nav details |
|---|
 |
| Group level default page |
|---|
 |
https://gitlab.com/gitlab-org/gitlab-ee/issues/12250
What does success look like, and how can we measure that?
- Clicks on security features in the nav
- Click path (journey) into security products changes and becomes shorter