<!--IssueSummary start--> <details> <summary> Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards. </summary> - [Close this issue](https://contributors.gitlab.com/manage-issue?action=close&projectId=278964&issueIid=565625) </details> <!--IssueSummary end--> ## Problem to solve This issue is to review and finalize the users stories defined in https://gitlab.com/gitlab-org/gitlab/-/issues/560663#note_2679285153 _Note: This issue will be the single source of truth for user story finalization._ ## User Stories ### Security Persona  <table> <tr> <th> **Original story** </th> <th> **Refined story** </th> <th> **Notes** </th> <th>Comments</th> </tr> <tr> <td colspan="4">Configuration</td> </tr> <tr> <td rowspan="5">As an appsec engineer, I want to enable secret push protection for all digital assets that are critical to my business with a consistent set of detections/exclusions that match my business requirements, so that I can reduce the likelihood of secret leak being introduced during a code push.</td> <td>As an AppSec engineer, I need to create and manage a consistent set of detections and exclusions that match my business requirements when configuring security scanning across projects and tools so I can minimize the time it takes to configure security scanning across projects.</td> <td></td> <td></td> </tr> <tr> <td>As an AppSec engineer, I need to create and manage a consistent set of detections and exclusions that match my business requirements when configuring security scanning across projects and tools so I can minimize the likelihood that detections drift out of alignment with business requirements.</td> <td></td> <td></td> </tr> <tr> <td>As an AppSec engineer, I need to create and manage a consistent set of detections and exclusions that match my business requirements when configuring security scanning across projects and tools so I can minimize the likelihood that detections vary unpredictably across projects.</td> <td></td> <td></td> </tr> <tr> <td>As an AppSec engineer, I need to create and manage a consistent set of detections and exclusions that match my business requirements when configuring security scanning across projects and tools so I can minimize the likelihood of false positives that create unnecessary noise and slow down legitimate development work.</td> <td></td> <td></td> </tr> <tr> <td>As an AppSec engineer, I need to create and manage a consistent set of detections and exclusions that match my business requirements when configuring security scanning across projects and tools so I can minimize the likelihood that true risks are overlooked due to gaps in detection coverage.</td> <td></td> <td></td> </tr> <tr> <td rowspan="4">As a Security Engineer, I need to provide pre-built configuration profiles for my organization, so new projects can get started securely without manual setup or guesswork.</td> <td>As a Security Engineer, I need to provide pre-built scanner configuration for my organization so I can minimize the time it takes for new projects to adopt baseline security controls.</td> <td></td> <td></td> </tr> <tr> <td>As a Security Engineer, I need to provide pre-built scanner configuration for my organization so I can minimize the likelihood that security configurations vary unpredictably across projects.</td> <td>New outcome</td> <td></td> </tr> <tr> <td>As a Security Engineer, I need to provide pre-built scanner configuration for my organization so I can minimize the likelihood that projects fail compliance checks due to missing or inconsistent security configurations.</td> <td>New outcome</td> <td></td> </tr> <tr> <td>As a Security Engineer, I need to provide pre-built scanner configuration for my organization so I can minimize the time it takes to update configurations when security requirements change.</td> <td>New outcome</td> <td></td> </tr> <tr> <td rowspan="2">As a Security Engineer, I need to update a configuration profile once and have those changes automatically propagate to all associated projects, so I can reduce maintenance overhead and avoid inconsistencies.</td> <td>As a Security Engineer, I need to update a configuration profile once and have those changes automatically propagate to all associated projects so I can minimize the time it takes to maintain security configurations across projects.</td> <td></td> <td></td> </tr> <tr> <td>As a Security Engineer, I need to update a configuration profile once and have those changes automatically propagate to all associated projects so I can minimize the likelihood that project configurations drift and create inconsistencies.</td> <td></td> <td></td> </tr> <tr> <td rowspan="2">As a Security Administrator, I need visibility into which projects are using each configuration profile, so I can understand the scope and impact of updates before making changes.</td> <td>As a Security Administrator, I need visibility into which projects are using each configuration profile so I can minimize the time it takes to assess the scope of impact before updating a configuration profile.</td> <td></td> <td></td> </tr> <tr> <td>As a Security Administrator, I need visibility into which projects are using each configuration profile so I can minimize the likelihood of introducing unintended negative impacts across dependent projects.</td> <td>New outcome</td> <td></td> </tr> <tr> <td>I want to be able to share/copy/duplicate custom rules across multiple profiles.</td> <td>As an AppSec engineer, I need to share, copy, or duplicate custom and modified detection rules across profiles so I can minimize the time it takes to apply consistent protections across my projects.</td> <td></td> <td></td> </tr> <tr> <td rowspan="2"> I want all scans to exclude our internal glpat token: \`glpat-3948384333\`. </td> <td> **SPP** - As an AppSec engineer, I need to exclude a specific value (such as a glpat used for testing) so I can minimize the likelihood of false positives that block legitimate pushes. </td> <td></td> <td></td> </tr> <tr> <td> **PSD** - As an AppSec engineer, I need to exclude a specific value (such as a glpat used for testing) so I can minimize the likelihood of false positives that create unnecessary noise and slow down legitimate development work. </td> <td></td> <td></td> </tr> <tr> <td rowspan="2">I want to create custom secret push protection rules for my business’s custom token format.</td> <td> **SPP** - As an AppSec engineer, I need to create custom rules to detect my organization’s unique token formats so I can minimize the likelihood that business-specific secrets are overlooked during code pushes. </td> <td></td> <td></td> </tr> <tr> <td> **PSD** - As an AppSec engineer, I need to create custom rules to detect my organization’s unique token formats so I can minimize the likelihood that business-specific secrets are missed by scans and remain undetected in the repository. </td> <td></td> <td></td> </tr> <tr> <td>As an appsec engineer, I want to include my company's custom ORM in the current SAST SQL Injection rules</td> <td> **SAST** - As an AppSec engineer, I need to include my company’s custom ORM in SAST SQL Injection rules so I can minimize the likelihood that SQL injection vulnerabilities are missed due to unsupported frameworks. </td> <td></td> <td></td> </tr> <tr> <td>As an appsec engineer, I want to set a max crawler timeout of 30 seconds for my recurring DAST scan.</td> <td> **DAST** - As an AppSec engineer, I need to configure a 30-second crawler timeout so I can minimize the likelihood that scans take excessive time to complete. </td> <td></td> <td></td> </tr> <tr> <td colspan="4">Enablement</td> </tr> <tr> <td rowspan="4">As an AppSec engineer, I need to enable security controls (such as secret push protection) for all digital assets that are critical to my business with a consistent set of detections/exclusions that match my business requirements so that I can minimize the time it takes to configure my security controls, minimize the risks associated with misconfigurations and false positives, and… </td> <td>As an AppSec engineer, I need to enable security controls for all digital assets that are critical to my business in a consistent and scalable way so I can minimize the time it takes to configure my security controls.</td> <td></td> <td></td> </tr> <tr> <td>As an AppSec engineer, I need to enable security controls for all digital assets that are critical to my business in a consistent and scalable way so I can minimize the likelihood of risks associated with misconfigurations.</td> <td></td> <td></td> </tr> <tr> <td>As an AppSec engineer, I need to enable security controls for all digital assets that are critical to my business in a consistent and scalable way so I can minimize the likelihood that security controls drift out of alignment with business requirements over time.</td> <td>New outcome</td> <td></td> </tr> <tr> <td>As an AppSec engineer, I need to enable security controls for all digital assets that are critical to my business in a consistent and scalable way so I can minimize the likelihood that security controls vary unpredictably across projects.</td> <td>New outcome</td> <td></td> </tr> <tr> <td rowspan="3">As an AppSec engineer, I need to apply consistent security configurations across all of my projects without manually configuring each one when I am configuring security at scale, so that I can minimize the likelihood of data leaks, exposures, delivery of exploitable/vulnerable code, and ultimately prevent negative impact to my business.</td> <td>As an AppSec engineer, I need to apply consistent security configurations across all projects when configuring security at scale so I can minimize the likelihood of data leaks.</td> <td></td> <td></td> </tr> <tr> <td>As an AppSec engineer, I need to apply consistent security configurations across all projects when configuring security at scale so I can minimize the likelihood that exploitable code is delivered to production.</td> <td></td> <td></td> </tr> <tr> <td>As an AppSec engineer, I need to apply consistent security configurations across all projects when configuring security at scale so I can minimize the likelihood of negative business impact resulting from inconsistent security practices.</td> <td></td> <td></td> </tr> <tr> <td rowspan="3">As an appsec engineer, I want to allow different instances of scanners in different locations (projects, groups, IDE, and pipeline) to fetch the same configuration without duplication, so that I can effectively and efficiently detect security issues across my assets.</td> <td>As an AppSec engineer, I need to apply a shared set of configurations for each security tool across all organizational locations (projects, groups) and scan contexts (IDE, pre-commit, merge request, production) so I can minimize the time it takes to configure and maintain scanning rules across my assets.</td> <td></td> <td></td> </tr> <tr> <td>As an AppSec engineer, I need to apply a shared set of configurations for each security tool across all organizational locations (projects, groups) and scan contexts (IDE, pre-commit, merge request, production) so I can minimize the likelihood that scanner configurations drift and produce inconsistent detection results across environments.</td> <td>New outcome</td> <td></td> </tr> <tr> <td>As an AppSec engineer, I need to apply a shared set of configurations for each security tool across all organizational locations (projects, groups) and scan contexts (IDE, pre-commit, merge request, production) so I can minimize the likelihood that security issues go undetected due to misaligned or outdated configurations.</td> <td>New outcome</td> <td></td> </tr> <tr> <td>As an appsec engineer, I want to enable secret push protection for all digital assets that are critical to my business with a consistent set of detections/exclusions that match my business requirements, so that I can reduce the likelihood of secret leak being introduced during a code push.</td> <td> **SPP** - As an AppSec engineer, I need to enable Secret Push Protection so I can minimize the likelihood of a secret leak being introduced during a code push. </td> <td></td> <td></td> </tr> <tr> <td>As an appsec engineer, I want to enable secret detection pipeline scanning for all digital assets that are critical to my business, so that I can reduce the impact of a secret leak being introduced into my code repository (and potentially production).</td> <td> **PSD** - As an AppSec engineer, I need to enable Pipeline Secret Detection so I can minimize the likelihood that secrets are introduced into my repositories or production systems. </td> <td></td> <td></td> </tr> <tr> <td>As an appsec engineer, I want to enable SAST pipeline scanning for all digital assets that are critical to my business.</td> <td> **SAST** - As an AppSec engineer, I need to enable SAST so I can minimize the likelihood that exploitable vulnerabilities are introduced into my codebase. </td> <td></td> <td></td> </tr> <tr> <td>As an appsec engineer, I want to enable DAST pipeline scanning for all digital assets that are critical to my business.</td> <td> **DAST** - As an AppSec engineer, I need to enable DAST so I can minimize the likelihood that exploitable runtime vulnerabilities are introduced into production systems. </td> <td></td> <td></td> </tr> <tr> <td colspan="4">Execution</td> </tr> <tr> <td rowspan="3"> _New story_ </td> <td>As an AppSec engineer, I need to define when scans should be triggered across different contexts (pre-commit, merge request, scheduled runs, production deployments) when enabling them so I cann minimize the likelihood that vulnerabilities are introduced without being detected at the right stage of development.</td> <td>New story</td> <td></td> </tr> <tr> <td>As an AppSec engineer, I need to define when scans should be triggered across different contexts (pre-commit, merge request, scheduled runs, production deployments) when enabling them so I can minimize the time it takes to identify risks by running scans at the most effective points in the workflow.</td> <td>New story</td> <td></td> </tr> <tr> <td>As an AppSec engineer, I need to define when scans should be triggered across different contexts (pre-commit, merge request, scheduled runs, production deployments) when enabling them so I can minimize the likelihood of wasted resources from unnecessary or redundant scans.</td> <td>New story</td> <td></td> </tr> <tr> <td>I want to begin scanning all specified projects immediately, so that I can gain rapid visibility into potential risks without delays and  begin triaging/mitigating risk as soon as possible.</td> <td>As an AppSec engineer, I need to begin scanning all specified projects immediately so I can minimize the time it takes to gain visibility into potential risks.</td> <td></td> <td></td> </tr> <tr> <td>I want to execute a historical scan to detect secrets in old commits.</td> <td>As an AppSec engineer, I need to execute historical scans across my projects so I can minimize the likelihood that previously introduced security issues remain undetected.</td> <td></td> <td></td> </tr> <tr> <td>I want to ensure continuous scanning of projects as new data is introduced into the system (e.g. MRs, commits, deployed code).</td> <td>As an AppSec engineer, I need to ensure continuous scanning of projects as new data is introduced into the system so I can minimize the likelihood that new vulnerabilities or secrets slip through ongoing development.</td> <td></td> <td></td> </tr> <tr> <td colspan="4">Enforcement</td> </tr> <tr> <td rowspan="3"> **As an appsec engineer, I want to ensure security governance through guardrails, defining what must be achieved, without dictating specific technical scan parameters or tool selection, so that security standards are consistent while development teams retain flexibility in implementation.** </td> <td> **As an AppSec engineer, I need to ensure security governance through guardrails that define required outcomes without dictating specific technical scan parameters or tool selection so I can minimize the likelihood that security standards are applied inconsistently across development teams.** </td> <td></td> <td></td> </tr> <tr> <td> **As an AppSec engineer, I need to ensure security governance through guardrails that define required outcomes without dictating specific technical scan parameters or tool selection so I can minimize the likelihood that development teams are slowed down by overly rigid security requirements.** </td> <td></td> <td></td> </tr> <tr> <td> **As an AppSec engineer, I need to ensure security governance through guardrails that define required outcomes without dictating specific technical scan parameters or tool selection so I can minimize the likelihood of misalignment between security objectives and development team implementations.** </td> <td> **New outcome** </td> <td></td> </tr> </table> ### Developer Persona <table> <tr> <td> **Original story** </td> <td> **Refined story** </td> <td> **Notes** </td> <td> **Comments** </td> </tr> <tr> <td colspan="4">Configuration</td> </tr> <tr> <td rowspan="3">As a developer, I want the flexibility to make project-specific configuration overrides for security scans (e.g., exclusions), while still adhering to broader organizational policies, so that I can optimize scans for my project's specific needs.</td> <td>As a developer, I need to make project-specific configuration overrides for security scans (e.g., exclusions) while still adhering to broader organizational policies so I can minimize the likelihood that security scans miss relevant issues due to unadjusted project-specific conditions.</td> <td></td> <td></td> </tr> <tr> <td>As a developer, I need to make project-specific configuration overrides for security scans (e.g., exclusions) while still adhering to broader organizational policies so I can minimize the likelihood that security scans generate unnecessary noise from irrelevant findings in my project.</td> <td></td> <td></td> </tr> <tr> <td>As a developer, I need to make project-specific configuration overrides for security scans (e.g., exclusions) while still adhering to broader organizational policies so I can minimize the likelihood of deviating from organizational security standards when making local adjustments.</td> <td></td> <td></td> </tr> <tr> <td colspan="4">Enablement</td> </tr> <tr> <td rowspan="3">As a developer (and an AI-powered solopreneur), I want to enable basic security scanning with zero or one-click configuration, so that I can get immediate security feedback on my code without navigating complex setup processes or YAML files.</td> <td>As a developer (and an AI-powered solopreneur), I need to enable basic security scanning on my project with minimal setup effort so I can minimize the time it takes to begin receiving security feedback on my code.</td> <td></td> <td></td> </tr> <tr> <td>As a developer (and an AI-powered solopreneur), I need to enable basic security scanning on my project with minimal setup effort so I can minimize the likelihood of errors or delays caused by complex setup processes.</td> <td></td> <td></td> </tr> <tr> <td>As a developer (and an AI-powered solopreneur), I need to enable basic security scanning on my project with minimal setup effort so I can minimize the likelihood that security scanning is skipped entirely due to configuration barriers.</td> <td>New outcome</td> <td></td> </tr> <tr> <td rowspan="3">As a new Developer, I need to quickly enable security scanning in my project using a recommended set of configurations, so I can adopt best practices without needing deep expertise in tool setup.</td> <td>As a developer, I need to enable security scanning in my project using a recommended set of configurations so I can minimize the time it takes to adopt baseline security best practices.</td> <td></td> <td> @mfangman: This story seems like a more prescriptive version of the story above it. Two of the outcomes are the same as well (essentially). Should it be combined with the other story? </td> </tr> <tr> <td>As a developer, I need to enable security scanning in my project using a recommended set of configurations so I can minimize the likelihood of errors or gaps caused by lack of expertise in configuring security tools.</td> <td></td> <td></td> </tr> <tr> <td>As a developer, I need to enable security scanning in my project using a recommended set of configurations so I can minimize the likelihood that security scanning is skipped entirely due to setup complexity.</td> <td>New outcome</td> <td></td> </tr> <tr> <td colspan="4">Other</td> </tr> <tr> <td>As a developer, I want security scans to run quickly (ideally sub-minute scan times) within my CI/CD pipelines, so that I receive rapid feedback on code changes and maintain my development velocity.</td> <td>—</td> <td>This doesn't seem relevant to the configuration profile effort. It's a important target to focus on but seems out of scope.</td> <td> @mfangman: **Recommend removing.** This seems out of scope for the configuration profile initiative. </td> </tr> <tr> <td>As a developer, I want security findings to be displayed directly within my IDEs and merge requests, along with contextual remediation guidance and AI-powered auto-fix suggestions, so that I can quickly understand and resolve vulnerabilities without switching tools or context.</td> <td>—</td> <td>This is something we already support and seems separate from scan configuration/enablement/execution/enforcement</td> <td> @mfangman: **Recommend removing.** This seems out of scope for the configuration profile initiative. @marissa.henri : Agree, this story falls under the VM category and Becka is working on this one </td> </tr> </table> ## Resources 1. [Visual diagram of stories (FigJam)](https://www.figma.com/board/0qYMxRbhyxc4M9wCf3BXpp/Security-Configuration--Profiles--Policies--Etc?node-id=132-727&t=MscFFEDJ041PrxAV-4)