UX research: auto-remediation MVC to auto-create merge request with fix

What’s this issue all about?

This research is following up on the outcomes of gitlab#14059 (closed). The discovery focused on creating an MVC that would auto create a merge request with solutions to known vulnerabilities. The MVC, given our current auto-remediation capabilities, will affect projects that are using dependency scanning and using yarn.

As we evolve the UX for auto-remediation our objective is for a 1) generic auto-remediation UX that handles multiple capabilities (consistent UX across different capabilities) and 2) geting closer to out-of-box UX (meaning it works without configuration). One of the upcoming capabilities is gitlab#35433 (closed) (based on gitlab#9384 (closed)).

We’d like this research to take a look at the general usability of the MVC and identify current/future usefulness this may bring to the customer/users. Additionally, we have a discovery to look at auto-merging of auto-created MRs; we’ll incorporate any insights from this study to influence the outcomes and recommendations of that discovery gitlab#36503 (closed).

Who is the target user of the feature?

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Sam (Security Analyst)

What questions are you trying to answer?

• What is the user’s perception about auto-remediation?
• What is the user’s expectation with the feature?
• Where does the user go to turn on/off the feature?
• Where does the user go to learn more about the features?
• Does the user understand the AR settings section - specifically, the user enabling feature is the author of the MRs?
• Where does the user expect to see auto-created merge request?
• Where does the user go to find the auto-created merge request?
• Is the notification banner seen on dashboard UI helpful to the user?
• How does the user feel about auto-creation of MRs and then Auto-merging of those MRs

Additional questions

• Do they have any automated vulns fix process today?
• Who would be in charge of these auto-fix vulns

What hypotheses and/or assumptions do you have?

• That users will go to project > security > configuration for opt-in/out of feature
• Concerned that since it’s not turned on out-of-the-box, that the feature may go unnoticed

What decisions will you make based on the research findings?

• Usability improvements to the MVC, such as: general fixes, copy in UI, label naming, and MR description
• Influence and guide the next discovery: gitlab#36503 (closed), which is focused on Auto-merging or auto-created merge request

What's the latest milestone that the research will still be useful to you?

%12.8

Timeline:

• Create a draft screener. Deadline: Tuesday Nov 26th.
• Create first draft for a script. Deadline: Tuesday Nov 26th.
• Get approval for screener and begin recruiting. Deadline: Wednesday Nov 27th.
• Finalize script. Deadline: Friday Nov 29th.
• Create and finalize a prototype / visuals. Deadline: Tuesday Dec 03.
• Test run and tweaking. Deadline: Tuesday Dec 03.
• Conduct tests. Dec 04 - Dec 06.
• Analysis and reporting. Deadline: Friday Dec 13th.

Results for this study

👉 &2347 (closed)