#### Context Part of the EN baseline term extraction (#916+). Three index pages from the CI/CD and Application Security sections were scanned for terminology candidates. Pages processed: - `doc/ci/_index.md` - `doc/user/application_security/sast/_index.md` - `doc/user/application_security/get-started-security.md` **Scope note:** extraction was limited to these three index pages only. Sub-pages of these sections were not scanned and are out of scope for this batch. Each candidate was evaluated using the 8-criteria framework (2+ required) plus the translation-risk test: 1=Terminologization, 2=Confusability, 3=Specialization, 4=Frequency, 5=Visibility, 6=Novelty, 7=System relationships, 8=Standardization potential. #### Extracted terms <table> <tr> <th>Term</th> <th>File(s)</th> <th>In Quickterm</th> <th>FR (from Quickterm)</th> <th>Notes</th> </tr> <tr> <td>pipeline</td> <td>doc/ci/_index.md</td> <td>Yes</td> <td>pipeline (Preferred, borrowing)</td> <td>Core CI/CD execution concept. Quickterm confirms FR = "pipeline" (borrowing, Preferred): do not translate. Criteria: 1,2,3,4,5,7,8.</td> </tr> <tr> <td>stage</td> <td>doc/ci/_index.md</td> <td>Yes (Preferred)</td> <td>étape (Preferred; FR stored on "pipeline stage" admitted row in Quickterm)</td> <td>Execution phase within a pipeline; defines job ordering. Critical false friend: French "stage" = internship. Quickterm confirms FR = "étape" (Preferred). Criteria: 1,2,3,4,7.</td> </tr> <tr> <td>job</td> <td>doc/ci/_index.md</td> <td>Yes</td> <td>job (Preferred, borrowing)</td> <td>Discrete unit of work executed by a runner within a stage. Polysemy: "job" is generic in English; in CI/CD it has a specific technical meaning. Quickterm confirms FR = "job" (borrowing, Preferred): do not translate. Criteria: 1,2,3,4,7.</td> </tr> <tr> <td>runner</td> <td>doc/ci/_index.md</td> <td>Yes</td> <td>runner (Preferred, borrowing)</td> <td>Agent that picks up and executes CI/CD jobs. Confusability risk: "runner" as a concept vs. "GitLab Runner" as a product (excluded). Quickterm confirms FR = "runner" (borrowing, Preferred): do not translate. Criteria: 1,2,3,4,5,7.</td> </tr> <tr> <td>CI/CD variable</td> <td>doc/ci/_index.md</td> <td>Yes</td> <td>variable CI/CD (Preferred)</td> <td>Environment variable specific to CI/CD pipelines. Quickterm FR confirmed. Part of a system: predefined, custom, protected, masked variables. Criteria: 1,3,4,5,7.</td> </tr> <tr> <td>protected variable</td> <td>doc/ci/_index.md</td> <td>Yes</td> <td>variable protégée (Preferred)</td> <td>Variable restricted to protected branches/tags. "Protected" has a specific CI/CD meaning distinct from general "secure". Quickterm FR confirmed. Criteria: 1,3,4,5,7.</td> </tr> <tr> <td>masked variable</td> <td>doc/ci/_index.md</td> <td>Yes</td> <td>variable masquée (Preferred)</td> <td>Variable whose value is hidden in job logs. "Masked" is domain-specific; confusion risk with display/visibility terminology. Quickterm FR confirmed. Criteria: 1,2,3,4,5,7.</td> </tr> <tr> <td>CI/CD component</td> <td>doc/ci/_index.md</td> <td>Yes</td> <td>composant CI/CD de prébuild (Preferred)</td> <td>Reusable, versioned pipeline configuration unit published to the CI/CD Catalog. Quickterm FR includes "de prébuild" which may be overly specific; needs verification against current docs usage. Criteria: 1,3,4,5,6,7.</td> </tr> <tr> <td>CI/CD Catalog</td> <td>doc/ci/_index.md</td> <td>Yes</td> <td>catalogue CI/CD (Preferred)</td> <td>Central repository for discovering and sharing CI/CD components. Quickterm translates as "catalogue CI/CD" (lowercase). Note: AI Catalog (Duo) is a separate feature; these two "Catalog" terms must be rendered consistently. Criteria: 1,3,5,6,7,8.</td> </tr> <tr> <td>CI/CD expression</td> <td>doc/ci/_index.md</td> <td>No</td> <td></td> <td>New syntax ($[[ ]]) for dynamic input evaluation in pipelines. Not in Quickterm. No established FR equivalent. Criteria: 1,3,4,5,6.</td> </tr> <tr> <td>inputs context</td> <td>doc/ci/_index.md</td> <td>No</td> <td></td> <td>New CI/CD expression context providing access to component inputs. Paired with matrix context. Not in Quickterm. FR: "contexte d'entrées" or "contexte inputs"? Criteria: 1,3,6,7.</td> </tr> <tr> <td>matrix context</td> <td>doc/ci/_index.md</td> <td>No</td> <td></td> <td>New CI/CD expression context for matrix job values. Paired with inputs context. Not in Quickterm. FR: "contexte de matrice" or "contexte matrix"? Criteria: 1,3,6,7.</td> </tr> <tr> <td>SAST</td> <td>doc/user/application_security/sast/_index.md</td> <td>Yes</td> <td>test statique de sécurité des applications (Preferred)</td> <td>Static Application Security Testing: analysis of source code for security vulnerabilities. Quickterm note: first instance write out in full as "test statique de sécurité des applications (SAST)", then use SAST; in titles use SAST. Acronym kept in all languages. Criteria: 1,2,3,4,5,8.</td> </tr> <tr> <td>analyzer</td> <td>doc/user/application_security/sast/_index.md</td> <td>No (Quickterm match was a different term)</td> <td></td> <td>In SAST context: a tool/scanner (e.g. Semgrep, SpotBugs) that performs static analysis. Polysemy: "analyzer" can mean person or tool; in security docs always means tool. FR: "analyseur" (generic) risks confusion. Criteria: 1,2,3,4,5.</td> </tr> <tr> <td>finding</td> <td>doc/user/application_security/sast/_index.md</td> <td>Yes</td> <td>détection de failles de sécurité (Preferred)</td> <td>A security issue detected on a non-default branch, before being confirmed as a vulnerability. The finding/vulnerability distinction is critical: findings become vulnerabilities only after merging to the default branch. Criteria: 1,2,3,4,5,7.</td> </tr> <tr> <td>vulnerability</td> <td>doc/user/application_security/sast/_index.md, doc/user/application_security/get-started-security.md</td> <td>Yes</td> <td>vulnérabilité (Preferred)</td> <td>A security issue confirmed on the default branch (contrast: finding). The finding/vulnerability distinction must be maintained consistently. Criteria: 1,2,3,4,5,7.</td> </tr> <tr> <td>ruleset</td> <td>doc/user/application_security/sast/_index.md</td> <td>Yes</td> <td>ensemble de règles (Preferred)</td> <td>Set of rules controlling analyzer behavior, configured in .gitlab/sast-ruleset.toml. Quickterm FR confirmed. Criteria: 1,3,4,5,7.</td> </tr> <tr> <td>severity</td> <td>doc/user/application_security/sast/_index.md</td> <td>Yes</td> <td>gravité (Preferred)</td> <td>Six-level classification of vulnerability impact (Critical, High, Medium, Low, Info, Unknown). Quickterm confirms FR = "gravité"; note: "sévérité" also appears in some GitLab FR strings. Criteria: 1,3,4,5,8.</td> </tr> <tr> <td>advanced vulnerability tracking</td> <td>doc/user/application_security/sast/_index.md</td> <td>No</td> <td></td> <td>Algorithm that follows a vulnerability as code moves (refactoring, line number changes), preventing duplicate reports. Ultimate-tier feature. Not in Quickterm. FR: "suivi avancé des vulnérabilités"? Criteria: 1,3,5,6,7.</td> </tr> <tr> <td>pre-filter</td> <td>doc/user/application_security/sast/_index.md</td> <td>No</td> <td></td> <td>Filtering applied before a SAST scan runs to reduce noise. Paired with post-filter; must be translated consistently. FR: "pré-filtre" or "filtrage préalable"? Criteria: 1,2,3,4,7.</td> </tr> <tr> <td>post-filter</td> <td>doc/user/application_security/sast/_index.md</td> <td>No</td> <td></td> <td>Filtering applied after a SAST scan to suppress false positives. Paired with pre-filter; must be translated consistently. FR: "post-filtre" or "filtrage ultérieur"? Criteria: 1,2,3,4,7.</td> </tr> <tr> <td>secret detection</td> <td>doc/user/application_security/get-started-security.md</td> <td>Yes</td> <td>détection des secrets (Preferred)</td> <td>Scanning for exposed credentials, API keys, and secrets in code or commit history. Part of the security scanning ecosystem alongside SAST, DAST, dependency scanning. Criteria: 1,3,4,5,7.</td> </tr> <tr> <td>dependency scanning</td> <td>doc/user/application_security/get-started-security.md</td> <td>Yes</td> <td>analyse des dépendances (Preferred)</td> <td>Analyzing application dependencies for known vulnerabilities. Part of the security scanning ecosystem. Quickterm confirms FR = "analyse des dépendances". Criteria: 1,3,4,5,7.</td> </tr> <tr> <td>baseline scan</td> <td>doc/user/application_security/get-started-security.md</td> <td>No</td> <td></td> <td>Initial security scan on the default branch establishing the reference state for vulnerability detection. Not in Quickterm. FR: "scan de référence" or "scan de base"? Criteria: 1,3,4,5.</td> </tr> <tr> <td>scan execution policy</td> <td>doc/user/application_security/get-started-security.md</td> <td>No</td> <td></td> <td>Governance policy that enforces scheduled or pipeline security scans across projects. Part of the policy enforcement system alongside merge request approval policy. Not in Quickterm. Criteria: 1,3,5,6,7.</td> </tr> <tr> <td>merge request approval policy</td> <td>doc/user/application_security/get-started-security.md</td> <td>No</td> <td></td> <td>Policy enforcing required approvals on merge requests based on security scan results. Paired with scan execution policy. Not in Quickterm. FR: long compound ("politique d'approbation de demande de fusion")? Criteria: 1,3,5,7.</td> </tr> <tr> <td>remediation</td> <td>doc/user/application_security/get-started-security.md</td> <td>Yes</td> <td>correction (Preferred)</td> <td>The process of fixing or mitigating a vulnerability. Quickterm maps to "correction", but "correction" is very generic and may not convey the security remediation workflow. "Remédiation" exists as a FR borrowing. Needs discussion. Criteria: 1,2,3,4,5.</td> </tr> </table> #### Terms excluded after applying extraction criteria - `GitLab Advanced SAST`: GitLab product/feature name - `GitLab Runner`: product name - `CWE identifier`: stays as standard abbreviation, no translation needed - `false positive`: "faux positif" is standard and unambiguous for any competent translator - `merge request widget`: UI label per scope rules - `inline annotation`: UI component, derivable - `vulnerability triage`: "triage" is of French origin; "triage des vulnérabilités" is transparent and derivable - `security dashboard`: in Quickterm with FR confirmed (tableau de bord de sécurité) - `agentic vulnerability resolution`: overlaps with Duo Agent Platform extraction (#937) - `Docker, Kubernetes, Terraform, Semgrep, SpotBugs`: third-party product names