Allow user to configure Secure features in UI to any branch
Problem to solve
Users are unable to configure a security scan feature to any branch directly from the UI.
Context: #34771 (closed) is an MVC that will allow user to configure a scan, by way of an MR but will only add template to gitlab-ci.yml
in the default branch. Adding scans to a feature branch would need to be done manually. This discovery: #13646 (closed) produced the workflow to enable a user to configure security scans directly from the UI. This workflow was validated in ux-research#359 (closed), where we saw 5 of 5 participants successfully configure a scan.
Intended users
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sam (Security Analyst)
Further details
Jobs to be done:
When I want to configure my security tools, I want to be able to configure them to address my own business risk policies, so that I can be assured my company is monitoring risk based on our business risk policies.
When I want to implement security tools, I want to be able to install them easily and know they are working properly, so that I can be reassured my company is managing and monitoring risk.
Related issue:
The security dashboard only shows results from the default branch. This issue #33160 looks to improve this by allowing user to view data from feature branches. These two issues are closely related and align in iterations.
Proposal
Allow users to create a merge request that adds a security scan template to the gitlab-ci.yml
(to any selected branch).
UI flow (maintainer view) |
---|
This MVC adds the ability for the user to select the branch to 1) view status and 2) apply templates |
Permissions and Security
- The maintainer view is seen above: the ability to create MR to add template
- The developer can see status and switch branches but is unable to create MR
Documentation
..
Testing
..
What does success look like, and how can we measure that?
- User navigates to section (when tasked with setting up scans) and better understand how to configure the scans
- The documentation links are clear and helps guide users to set up security scans
- User successfully adds respective template per merge request flow
- User benefits from the ability to configure any branch from the screen
What is the type of buyer?
Links / references
- Blocked until completion of:
- Related issue that identifies security jobs in pipeline: !17568 (merged)
- Solution validation: https://docs.google.com/presentation/d/1blpG78sBTNYcFyP1DH4gNjmJSB8SGm4xMgVtOe9UXLo/edit?usp=sharing