Skip to content

Allow user to configure Secure analyzers in UI

Problem to solve

Users are unable to configure a security scan feature directly in the UI.

Context: In &1784 (closed) study, only 1 of 5 users were able to properly configure a security scan when given the task. We found that users navigated to the left nav security section with ease; however were disappointed when arriving to this section and not finding a "on/off" switch. This discovery: #13646 (closed) produced a workflow to enable a user to configure security scans directly from the UI. This workflow was validated in ux-research#359 (closed), where we saw 5 of 5 participants successfully configure a scan.

📽 view video walkthrough

Intended users

Further details

Jobs to be done:

When I want to configure my security tools, I want to be able to configure them to address my own business risk policies, so that I can be assured my company is monitoring risk based on our business risk policies.

When I want to implement security tools, I want to be able to install them easily and know they are working properly, so that I can be reassured my company is managing and monitoring risk.

Future iterations:

As an MVC, the configurations directly from UI would apply to the default branch (note: any feature branches created after will include configured scans). Related: the security dashboard only shows results from the default branch. This issue #33160 (closed) looks to improve this by allowing user to view data from feature branches.

Proposal

Allow users to create a merge request that adds security scan(s) template to the gitlab-ci.yml (default branch only). This task completed in the configuration section https://gitlab.com/gitlab-org/gitlab-ee/issues/13638.

📽 view video walkthrough of current iteration under review:

  • 0:00-:4:23 Context and flow configuring SAST, License Compliance, Dependency Scanning
  • 4:23-9:47 Proposal when the user selects to configure DAST and/or Container Scanning UX
  • 9:47-12:27 Related flow: untested projects on group dashboard anchors to the project configuration screen

UI/flows under review:

flow

  • If user selects SAST, License Compliance, and Dependency Scanning the related template(s) are committed and merge request created.
  • If user selects Container Scanning and/or DAST the related template(s) are committed (and for DAST: variables: DAST_WEBSITE: https://example.com for user to enter and Container scanning confirmation of variables: IMAGE_TAG: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_REF_SHA). The merge request created with WIP status and committ has skip ci - this to make the user aware that additional configuration is required.
related flow, from group dashboard flow3
iteration I
User flow: configuring a scan Different UI states
flow UI
This flow shows UX for adding a security scan. In this case, a gitlab-ci.yml file has already been created and some scans already added. User is adding 'License-Compliance' template Different states of the UI configuration screen: i. no features have been configured, ii. user selects feature, MR button activates, iii. if feature is already configured √ ability is disabled, iv. display is AutoDevOps is configured, v. case when existing configuration MR is in progress, vi. includes subtext info of scan

Permissions and Security

The configuration UI would be visible to maintainers/owners; developers would see the status screen https://gitlab.com/gitlab-org/gitlab-ee/issues/13638

Documentation

..

Testing

..

What does success look like, and how can we measure that?

  • User navigates to section (when tasked with setting up scans) and better understand how to configure the scans
  • The documentation links are clear and helps guide users to set up security scans\
  • User successfully adds respective template per merge request flow
  • User understands that this UI applies only to the default branch.

=> Related research study

What is the type of buyer?

~Ultimate

Links / references

Conclusion

Opened individual group (related scanners, per process update) issues to look at config in UI

Edited by Kyle Mann