►
From YouTube: Secure UX, discovery kickoff: security bot member
Description
00:00-03:15 problem context
03:15-06:47 proposal ideation
06:47-10:30 discovery questions
%12.9 discovery overview looking into creating a security member for our upcoming auto-remediation feature; which auto-creates merge requests with fixes to vulnerabilities.
Discovery issue: https://gitlab.com/gitlab-org/gitlab/issues/197349
Related previous discovery, MVC (auto-creation of merge requests): https://www.youtube.com/watch?v=pbRhf0LHgq8&list=PL05JrBw4t0KrFCe5BgUkzFrZifjforQOz&index=13
A
Hi
I'm
Kyle
on
the
secure
UX
team
and
I
just
wanted
to
take
a
look
at
a
UX
and
engineering
discovery
that
we
have
scheduled
for
twelve
nine,
which
is
about
possibly
creating
a
bot
member
to
help
us
in
one
of
our
problems
that
we
discovered
in
a
recent
Auto
remediation
in
BC
that
we
created.
So
let
me
just
jump
over
to
that
one.
This
one
is
currently
scheduled
for
12:10
and
it's
based
off
of
the
discovery
that
we
did
with
engineering
and
also
some
UX
research
to
validate
the
MVC.
A
We
had
really
good
feedback
generally,
but
one
thing
that
we
didn't
that
that
we
want
to
address
was
some
of
the
feedback
was
in
terms
of
who
is
the
creator
of
the
auto
created,
merge
request
and
the
setup
around
that.
So
I'll
take
a
look
at
what
we
tested
and
what
we
heard
from
users.
Also
there's
a
there's.
A
another
link
in
the
description.
Kind
of
has
a
more
overview
of
what
this
MVC
is
for
this
video
we're
just
focusing
in
on
the
author
of
the
merge
request
and
the
discovery.
A
A
So
that's
where
this
alternative
proposal
is
coming
in
from
there's
other
use
cases
and
secure
that
we
could
benefit
from
having
a
sort
of
neutral
user
and/or,
a
bot
to
handle
similar
situations,
and
so
we're
just
kind
of
at
a
kickoff
at
exploring
this
and
so
yeah.
What
I
want
to
do
is
just
take
a
look
at
the
overview
for
where
we're
at
kind
of
how
we're
thinking
about
this
and
then
dive
into
some
questions
and
and
what
we'd
like
to
learn
right
now.
A
Okay,
let's
look
at
the
bot
overview
if
it
existed,
we're
thinking,
it
could
be
a
member
and
again
I'll
jump
over
to
more
questions
around
this,
but
it
would
be
a
project
member
in
this
case
for
ultimate
users
and
the
name
would
be
get
lab.
Security
butter
could
be
certainly
looking
for
suggestions
with
all
this.
A
A
So
we
have
this
member
auto,
create
in
these
merchants
request
and
there's
a
discovery
that
we're
gonna
follow
up
on
the
implementation
issue
of
actually
what
it
looks
like
to
Auto
merge
the
auto
created
merchant
request,
so
we
really
need
some
sort
of
audit
log
or
activity
log
for
that
and
having
it
as
a
member
could
help
us
out
with
that
as
well.
Okay,
so
in
comparison
to
the
other
setup
flow
that
we
saw,
this
is
how,
with
the
gate,
lab
security
bot,
this
might
look
like.
A
So,
on
the
configuration
page
for
security,
the
user
clicks
the
check
box
to
check-in
and
we're
giving
them
feedback
here
that
gate
lab
security.
Bot
will
be
the
author
of
the
auto
creative
merge
request.
So
this
is
as
they're
setting
it
up
we're
helping
them
learn
how
this
might
work.
They
could
even
click
right
there
at
the
gate,
lab
security
bot
and
see
that
it's
a
member
to
so
that
they
can
understand
that.
A
That
would
be
the
author
and
that's
the
number
and
then
once
it
is
enabled
just
generally,
we
can
display
it
here
in
the
configuration
screen.
Even
if
developers
came
here,
maybe
they
can't
change
the
settings,
but
they'll
at
least
see
that
that
that
author
gate
lab
security
bot
is
serving
that
purpose.
A
Okay,
so
that's
kind
of
our
current
ideation
and
how
we
were
thinking
about
it
based
on
our
last
discovery
round
the
auto
remediation
MVC
and
what
we're
looking
into
is
they're.
Actually,
our
existing
BOTS
already
get
lab
support
bot
you
may
have
seen
them
and
get
lab
alert
bot
and,
if
you're,
watching
this
and
you-
and
you
have
background
knowledge
on
that,
we'd
love
to
chat
with
you
we're
reaching
out
to
the
managed
team
team
to
learn
more
as
well,
and
we
just
want
to
learn
how
are
they
created?
Are
they
out
of
the
boxes?
A
There
are
some
setup
requirements
around
them.
How
do
they
work
for
SAS
versus
on-premise?
Are
they
are
the
bots
visible
members?
So
are
they
visible
on
the
member
list?
How
might
we
be
able
to
reuse
any
work?
That's
been
done,
so
maybe
we
can
adopt
some
of
the
engineering
work.
That's
there
and
how
do
we
make
sure
the
extra
members
don't
add,
seats
and
I
know
that
get
lab
support,
BOTS
and
get
Labrador
BOTS.
A
Don't
do
that,
but
we
just
want
to
make
sure
that's
the
case
too,
for
any
other
future,
but
in
the
case
of
Auto
remediation
NBC,
we
want
to
keep
ironing
out
the
setup
UX.
What
is
the
relationship
with
the
opt-in
and
the
opt-in
of
the
auto
created,
merge
request
and
maybe
if
the
member
bot
was
visible
and
deactivated?
What
does
that?
Look
like
the
the
fun
ability
discoverability
of
it?
A
A
Also,
once
we
have
some
of
these
questions,
some
of
our
homework
done
here
and
a
prototype
of
based
on
how
this
evolves.
We
want
to
then
take
that
back
to
the
so
AB
SEC
team,
and
we
have
talked
with
them.
Preliminary
and
they've
searched
some
questions
and
some
thoughts,
but
we
want
to
make
sure
it's
a
hundred
percent
secure
and
so
we'll
take
the
prototype
back
for
them
for
some
brainstorming
and
to
gather
any
thoughts
and
considerations.
A
A
Multiple
findings
by
the
bots,
a
sort
of
neutral
author
once
again
would
have
been
helpful
or
could
be
helpful
in
that
case,
perhaps
on
the
objects.
Page
is
the
author
of
the
objects
when
those
are
created
not
sure,
but
but
just
the
the
idea
of
a
sort
of
neutral
user.
That's
out
of
the
member
list,
just
gathering
some
general
other
use
cases
that
this
could
be
helpful.
One!
A
Okay!
So
that's
where
we're
at
we're
at
the
very
beginning
of
this,
and
this
is
more
of
a
kickoff
video
really
and
also
to
send
out
feelers.
If
you
know
about
the
the
background
or
any
ideas
here.
Some
of
these
questions
that
we
had
we'd
love
to
chat
with
you
or
or
hear
any
general
thoughts
about
this
and
yeah.
As
we
evolve
and
close
out
this
discovery,
we
will
do
follow
up
conclusion.
Video
on
our
findings.
All
right.
Thanks
for
watching
bye,.