UX Research: What are the secrets that users are most concerned about committing in their repos?
What’s this issue all about?
We have several secret detection features, designed to prevent sensitive information from being committed to repos and ways to identify secrets that already have been committed. There have been requests to augment secret detection to prevent certain types of info from ever being committed to begin with.
While we can build a technical solution to detect most anything (
Who is the target user of the feature?
Security teams and security operators will be the primary persons concerned with what is and is nto allowed to be committed to the repo. Everyday developers will be potentially affected, as they are the ones who might commit something inappropriately.
What questions are you trying to answer?
- What secrets and sensitive information are you concerned about being committed to the repo that is not being detected today?
- Why do Push Rules not satisfy those concerns?
- How do you manage secrets today that are unintentionally leaked into your code base?
Core questions
Additional questions
Is GitHub's token scanning solving the problem users have?
What hypotheses and/or assumptions do you have?
I assume that users are concerned about sensitive strings of text being committed in files, that aren't the files that we currently block when we see them, and this is the gap.
I assume that users are using the WebIDE and are concerned that these use a different workflow than our current push rules.
I assume that users expect us to detect things like credentials out of the box and are unwilling to define & customize it themselves.
What decisions will you make based on the research findings?
I will make a prioritization & next steps decision on https://gitlab.com/gitlab-org/gitlab-ee/issues/8792
What's the latest milestone that the research will still be useful to you?
12.5