Allow user to configure Secure features in UI
Problem to solve
Users are unable to configure a security scan feature directly in the UI.
Context: In &1784 study, only 1 of 5 users were able to properly configure a security scan when given the task. We found that users navigated to the left nav security section with ease; however were disappointed when arriving to this section and not finding a "on/off" switch. This discovery: #13646 (closed) produced a workflow to enable a user to configure security scans directly from the UI. This workflow was validated in ux-research#359 (closed), where we saw 5 of 5 participants successfully configure a scan.
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sam (Security Analyst)
Jobs to be done:
When I want to configure my security tools, I want to be able to configure them to address my own business risk policies, so that I can be assured my company is monitoring risk based on our business risk policies.
When I want to implement security tools, I want to be able to install them easily and know they are working properly, so that I can be reassured my company is managing and monitoring risk.
As an MVC, the configurations directly from UI would apply to the default branch. In future iterations we'd like to enable the user to apply scans to any branch directly from this UI. Related: the security dashboard only shows results from the default branch. This issue #33160 looks to improve this by allowing user to view data from feature branches. These two issues are closely related and align in iterations.
Allow users to create merge request that adds security scan template to the gitlab-ci.yml (default branch only). This does task completed in the configuration section https://gitlab.com/gitlab-org/gitlab-ee/issues/13638.
Design updates currently being completed. But the following designs capture the key changes:
Permissions and Security
The configuration UI would be visible to maintainers/owners; developers would see the status screen https://gitlab.com/gitlab-org/gitlab-ee/issues/13638
What does success look like, and how can we measure that?
- User navigates to section (when tasked with setting up scans) and better understand how to configure the scans
- The documentation links are clear and helps guide users to set up security scans\
- User successfully adds respective template per merge request flow
- User understands that this UI applies only to the default branch.
What is the type of buyer?
Links / references
- MVC prerequisite issue: #13638\
- Related issue that identifies security jobs in pipeline: !17568 (merged)
- Solution validation: https://docs.google.com/presentation/d/1blpG78sBTNYcFyP1DH4gNjmJSB8SGm4xMgVtOe9UXLo/edit?usp=sharing