Allow user to configure Secure features in UI to any branch

Problem to solve

Users are unable to configure a security scan feature to any branch directly from the UI.

Context: #34771 (closed) is an MVC that will allow user to configure a scan, by way of an MR but will only add template to gitlab-ci.yml in the default branch. Adding scans to a feature branch would need to be done manually. This discovery: #13646 (closed) produced the workflow to enable a user to configure security scans directly from the UI. This workflow was validated in ux-research#359 (closed), where we saw 5 of 5 participants successfully configure a scan.

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Devon (DevOps Engineer)
• Sam (Security Analyst)

Further details

Jobs to be done:

When I want to configure my security tools, I want to be able to configure them to address my own business risk policies, so that I can be assured my company is monitoring risk based on our business risk policies.

When I want to implement security tools, I want to be able to install them easily and know they are working properly, so that I can be reassured my company is managing and monitoring risk.

Related issue:

The security dashboard only shows results from the default branch. This issue #33160 (closed) looks to improve this by allowing user to view data from feature branches. These two issues are closely related and align in iterations.

Proposal

Allow users to create a merge request that adds a security scan template to the gitlab-ci.yml (to any selected branch).

UI flow (maintainer view)
This MVC adds the ability for the user to select the branch to 1) view status and 2) apply templates

Permissions and Security

• The maintainer view is seen above: the ability to create MR to add template
• The developer can see status and switch branches but is unable to create MR

Documentation

..

Testing

..

What does success look like, and how can we measure that?

• User navigates to section (when tasked with setting up scans) and better understand how to configure the scans
• The documentation links are clear and helps guide users to set up security scans
• User successfully adds respective template per merge request flow
• User benefits from the ability to configure any branch from the screen

=> Related research study

What is the type of buyer?

GitLab Ultimate

Links / references

• Blocked until completion of:
  • #13638 (closed)
  • #34771 (closed)
• Related issue that identifies security jobs in pipeline: !17568 (merged)
• Solution validation: https://docs.google.com/presentation/d/1blpG78sBTNYcFyP1DH4gNjmJSB8SGm4xMgVtOe9UXLo/edit?usp=sharing