### Problem to solve Users are unable to configure a security scan feature directly in the UI. Context: In https://gitlab.com/groups/gitlab-org/-/epics/1784 study, only 1 of 5 users were able to properly configure a security scan when given the task. We found that users navigated to the left nav security section with ease; however were disappointed when arriving to this section and not finding a "on/off" switch. This discovery: https://gitlab.com/gitlab-org/gitlab/issues/13646 produced a workflow to enable a user to configure security scans directly from the UI. This workflow was validated in https://gitlab.com/gitlab-org/ux-research/issues/359, where we saw 5 of 5 participants successfully configure a scan. ##### Related individual group UIs SAST - https://gitlab.com/gitlab-org/gitlab/-/issues/216635 Dependency scanning - https://gitlab.com/gitlab-org/gitlab/-/issues/243568 Secret Detection - https://gitlab.com/groups/gitlab-org/-/epics/4496 License scanning - TBD ### Intended users * [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#delaney-development-team-lead) * [Sasha (Software Developer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sasha-software-developer) * [Devon (DevOps Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#devon-devops-engineer) * [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst) ### Proposal Allow users to create a merge request that adds container scan(s) template to the gitlab-ci.yml (default branch only). This task completed in the configuration section. * User selects `Enable` for Container Scanning related template is committed * Commit is made with `skip ci`, to prevent a failed pipeline * The merge request description displays description with scanner requirements and further actions needed * Surface documentation in the changes/diff section to help user act on inputs needed to complete :projector: [video walkover](https://youtu.be/eSq8sIGGPe0) :art: [Figma design file](https://www.figma.com/file/kBTtdhQjjXANu5jiESWrdW/Container-Scanning-Config?node-id=409%3A1012) | Step1: when container scan is not enabled | Step2: review mr |Step3: review mr diff |Step4: after mr is merged | | ------ | ------ |------ |------ | | | || | ### Permissions and Security The configuration UI would be visible to maintainers/owners; developers would see the status screen https://gitlab.com/gitlab-org/gitlab-ee/issues/13638 ### Documentation .. ### Testing .. ### What does success look like, and how can we measure that? * Help increase user adoption, given ease of clicking the call-to-action button * User navigates to section (when tasked with setting up scans) and better understand how to configure the scans * The documentation links are clear and helps guide users to set up security scans * User successfully adds respective template per merge request flow * User understands that this UI applies only to the default branch. => [Related research study](https://docs.google.com/presentation/d/1blpG78sBTNYcFyP1DH4gNjmJSB8SGm4xMgVtOe9UXLo/edit?usp=sharing) ### What is the type of buyer? ~"GitLab Ultimate" ### Related Issues https://gitlab.com/gitlab-org/gitlab/-/issues/334929 https://gitlab.com/groups/gitlab-org/-/epics/4908 <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION --> *This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.* <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->