Allow user to configure Secure analyzers in UI
Problem to solve
Users are unable to configure a security scan feature directly in the UI.
Context: In &1784 (closed) study, only 1 of 5 users were able to properly configure a security scan when given the task. We found that users navigated to the left nav security section with ease; however were disappointed when arriving to this section and not finding a "on/off" switch. This discovery: #13646 (closed) produced a workflow to enable a user to configure security scans directly from the UI. This workflow was validated in ux-research#359 (closed), where we saw 5 of 5 participants successfully configure a scan.
Intended users
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sam (Security Analyst)
Further details
Jobs to be done:
When I want to configure my security tools, I want to be able to configure them to address my own business risk policies, so that I can be assured my company is monitoring risk based on our business risk policies.
When I want to implement security tools, I want to be able to install them easily and know they are working properly, so that I can be reassured my company is managing and monitoring risk.
Future iterations:
As an MVC, the configurations directly from UI would apply to the default branch (note: any feature branches created after will include configured scans). Related: the security dashboard only shows results from the default branch. This issue #33160 looks to improve this by allowing user to view data from feature branches.
Proposal
Allow users to create a merge request that adds security scan(s) template to the gitlab-ci.yml (default branch only). This task completed in the configuration section https://gitlab.com/gitlab-org/gitlab-ee/issues/13638.
- 0:00-:4:23 Context and flow configuring SAST, License Compliance, Dependency Scanning
- 4:23-9:47 Proposal when the user selects to configure DAST and/or Container Scanning UX
- 9:47-12:27 Related flow: untested projects on group dashboard anchors to the project configuration screen
UI/flows under review:
- If user selects SAST, License Compliance, and Dependency Scanning the related template(s) are committed and merge request created.
- If user selects Container Scanning and/or DAST the related template(s) are committed (and for DAST:
variables: DAST_WEBSITE: https://example.com
for user to enter and Container scanning confirmation ofvariables: IMAGE_TAG: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_REF_SHA
). The merge request created withWIP
status and committ hasskip ci
- this to make the user aware that additional configuration is required.
iteration I
Permissions and Security
The configuration UI would be visible to maintainers/owners; developers would see the status screen https://gitlab.com/gitlab-org/gitlab-ee/issues/13638
Documentation
..
Testing
..
What does success look like, and how can we measure that?
- User navigates to section (when tasked with setting up scans) and better understand how to configure the scans
- The documentation links are clear and helps guide users to set up security scans\
- User successfully adds respective template per merge request flow
- User understands that this UI applies only to the default branch.
What is the type of buyer?
~Ultimate
Links / references
- MVC prerequisite issue: #13638 (closed)\
- Related issue that identifies security jobs in pipeline: !17568 (merged)
- Solution validation: https://docs.google.com/presentation/d/1blpG78sBTNYcFyP1DH4gNjmJSB8SGm4xMgVtOe9UXLo/edit?usp=sharing
Conclusion
Opened individual group (related scanners, per process update) issues to look at config in UI
- SAST - #216635 (closed)
- DAST - #216610 (closed)
- License, dependency, container: - #218235 (closed)