Gitlab hero border pattern left svg Gitlab hero border pattern right svg

Secure UX


Secure tools help your team follow and enforce security best practices effortlessly as part of the DevOps cycle. The Secure UX team’s goal is to provide the best experience in taking pre-emptive security measures before deploying your code, while the Defend UX team’s goal is to provide the best experience in keeping your application safe after your code is in production. See the Defend and Secure UX page for more about our team and how our two teams work together.


We have different user types we consider in our experience design effort. Even when a user has the same title, their responsibilities may vary by organization size, department, org structure, and role. Here are some of the people we are serving:

Generally, developers are the users of the vulnerability reports in the MR/pipeline while security professionals are the users of the Security Dashboards.

UX scorecards

Primary jobs to be done (JTBD)


Team structure

We've divided the Secure stage into dedicated experience groups to align with a similar split undertaken by our engineering and PM counterparts.

Static and Dynamic Testing

Experience Group Features Designer(s)
Security Testing SAST, IAST, DAST, Fuzzing, Container Scanning, Secret Detection Camellia Yang
Code Scanning Scanning in Web IDE, MR Security Report, DevSec Code Review, Dependency Scanning Annabel Dunstone Gray

Software Composition Analysis

Experience Group Features Designer(s)
Compliance & Auditing License Check, Security Gates, License Compliance, Bill of Materials, Auto-Remediate, Dependency Scanning Kyle Mann
Audits & Policy Enforcement Audit reports, SLAs, Risk Acceptance, Policy Enforcement TBD - we're hiring!

The Secure & Defend UX teams work closely together and have shared coverage in the following areas:

This segmentation gives us a better opportunity to:

Read more about how we've created these dedicated experience groups here.

How we work

We follow the GitLab workflow with additional dates and actions that directly tie to our work.

Team meetings

Our Secure UX weekly meeting is to discuss topics relevant to Secure design, UX, and research. Some example topics could include:

Some topics are better suited for a dedicated meeting, and should be created on an as-needed basis:

Labels we use

We have 3 scoped labels to help us identify which experience group a particular issue falls into and which designer should be subsequently assigned.

Secure UX::Shared

Secure UX::Security Testing & Scanning

Secure UX::Compliance & Auditing

See our UX Workflow page for more on how we use labels.

Problem and solution validation issues

When working on a workflow::problem validation or workflow:solution validation issue requiring implementation in the next 2 releases, ensure there is a placeholder implementation issue. This issue must be attached to the epic, have a tentative milestone and the corresponding labels, particularly the group label, so that it shows up on the issue boards for our counterparts.

Our strategy

The Secure UX team is working together to uncover customers core needs, what our users’ workflows looks like, and defining how we can make our users tasks easier. Our strategy involves the following actions:

Additionally, we value the following:

The source of truth lives with shipped features, therefore we:

Follow our work

Our Secure and Defend UX YouTube channel includes UX Scorecard walkthroughs, UX reviews, group feedback sessions, team meetings, and more.