UX theme: clarity about security approval rules status on MR page
UX Theme
When the user has setup a security approval policy(scan result policy), they should be informed properly about the different statuses on an MR page; By clarify what's happening: why the MR is blocked, we are helping users moving faster, resolve the right problem in order, so the MR can get merged details please the following situations:
| When triggering the problem (Confidence-Priority) | Problem: Current Behavior | User feedback searches | Proposed Next step | Rated-issue | Progress status |
|---|---|---|---|---|---|
|
Situation-1: Pipeline is running & Policy is required (High-High) |
We give the user the wrong information: We tell the user MR is blocked because of approval rules(security policy); what is required is that the user needs to wait for the pipeline to finish. The current text confuses users because it simply states that all approvals must be given. Then once the pipeline finishes, if no vulnerabilities are found, this message suddenly goes away. The end user is left feeling confused why suddenly they can merge when no one approved the MR during that time |
1.Detail of direct user feedback |
We need to reach an agreement on what the MVC is (Clarify the messaging) and there is a need for developing a bigger change (Move security policy as a separate Merge check) |
|
|
|
Situation-4: Dead-end rule: required approval number is larger than a number of approvers (High-?) |
It is possible for ALL approvals to end up in a situation where their conditions cannot be satisfied. When this happens, we simply mark the rule as |
We can logically prove that this will block users; we don't have user feedback yet, because this is an edge case, details, please see the discussion issue |
We need to reach an agreement on what the solution is. This is an edge case, but we need to solve it for users |
1.Discussion issue |
|
|
Situation-2&3: What to prioritize among all merge checks? and among all approval rules (Medium -?) |
Security policy is one of the approval rules, approval rules is one of the merge checks. We display by default one merge check at a time; in situations-2&3, there is a potential that the user wants to prioritise the security policy approval above other approval rules, and prioritise. |
We hear promoting security approval rules should be prioritised from user interviews, and we keep hearing similar things from the customer. Unfortunately, those are not recorded |
We need to do further problem validation research |
1.Discussion issue |
|
|
Situation-5: When required scan job get disabled (High-High) |
Users can circumvent the scan result policy requirements if they remove the scans as part of their MR. For example, if a policy requires approval if any Criticals are found by a SAST scan, we don't find any criticals if the SAST scan does not run. We need to start checking to see whether or not the required scans have run as part of the policy and then we need to design some way to explain to the user why the merge request is blocked if the required scans have not been run. | We hear from customers constantly calls that this is required; we shouldn't remove the policy if the scan is not enabled | We need to reach an agreement on what the solution is. This is an edge case, but we need to solve it for users |
|
Beneficiary
Need & JTBD
- JTBD: As an application security engineer, I need to be able to configure approval policies that align with my organization's requirements so that I can avoid blocking approvals unnecessarily.
Business objective
Drive Ultimate revenue by expanding the number of organisations using Scan Result policies properly.
Confidence
See the table above
Subthemes
See the table above
Feature/solution subthemes/Discussions
-
Situation 1-When pipeline is incomplete and there is a security policy enabled -
Situation 2-There is a code conflict, and approvals need -
Situation 3-There are multiple rules (including security rules) -
Situation 4- It is a dead-end role
Prioritized list of design issues in this theme: