Solution Validation for gitlab#466441

Results
`2-3 sentences to summarize the results`
- Link to Dovetail project

Conducting usability testing on the new concept for a Secret Detection Allowlist. Design issue: Design: Secret Detection Exclusions - Vision (gitlab#466441 - closed)

Understand what is and is not working well about the concept. Identify areas for improvement and/or refinement.
Determine if users have a preference for scanner-specific allowlists or a unified allowlist.
Generate a UXUM-Lite score and corollary SUS score. Compare scores with usability benchmarking study.

User Understanding of Allowlists: Many users, especially those less familiar with security or GitLab, may not fully understand the concept of an allowlist and its purpose within the application.
Allowlist Navigation Success: Users who have a grasp of the allowlist concept will generally be able to navigate the prototype effectively.
"Inherited from" Confusion: Users unfamiliar with GitLab's group/project structure may find the "Inherited from" content confusing.
Allowlist Item Addition: Adding an allowlist item should be a relatively straightforward process for most users.
Scanner-Specific Allowlists Preference: Users will likely prefer to manage allowlists at the scanner level, rather than having a single global list, to maintain better control over their security configurations.

UI Comprehension: Are users able to understand the basic concepts and terminology related to allowlists within the provided UI?
Navigation Efficiency: Can users easily locate and navigate to the allowlist settings or configuration options?
Intuitive Interface: Is the allowlist UI intuitive and easy to use, with minimal confusion or frustration?

Benefits Recognition: Do users understand the advantages of having scanner-specific allowlists, such as increased granularity and control over security settings?
Value Perception: Do users perceive the benefits of scanner-specific allowlists as outweighing any potential drawbacks or increased complexity?

Trade-Off Assessment: How do users weigh the benefits of granularity in scanner-specific allowlists against the potential efficiency gains of a unified allowlist?
Preference Determination: Do users have a strong preference for one approach over the other, or are their preferences more nuanced?

Understanding of Scope: Do users understand how the allowlist applies to different levels of the hierarchy (project, group, etc.) and how it interacts with various secret detection methods?
Expected Behavior: Do users' expectations regarding the application of allowlists align with the actual behavior of the system?

Primary persona: Amy (Application Security Engineer)
- JTD: As an AppSec practitioner, I want to eliminate specific secret detection findings, so that I reduce as much organizational friction as possible, and reduce time spent triaging unnecessary findings, while using secret detection to maintain good security controls.
Secondary persona: Sasha (Software Developer)
- JTBD: As a developer, I want to reduce irrelevant secret detection findings, so that I can maintain an efficient workflow.

This research will help determine if the design direction for an Allowlist meets users or if changes are needed before implementation.

We may end up building the allowlist in a way that doesn't align with user expectations.
We potentially add more complexity and/or confusion in the UI

ASAP

Edited Aug 21, 2024 by Michael Fangman