15.0 Readiness - Secure & Protect scanners major version update & deprecation

What is happening

Secure and Protect analyzer major version update and deprecations

The Secure and Protect stages will be bumping the major versions of their analyzers in tandem with the GitLab 15.0 release. This major bump will enable a clear delineation for analyzers, between:

  • Those released prior to May 22, 2022, which generate reports that are not subject to stringent schema validation.
  • Those released after May 22, 2022, which generate reports that are subject to stringent schema validation.

The following are being deprecated and will no longer be updated after 15.0 GitLab release:

  • API Security: version 1
  • Container Scanning: version 4
  • Coverage-guided fuzz testing: version 2
  • Dependency Scanning: version 2
  • Dynamic Application Security Testing (DAST): version 2
  • Infrastructure as Code (IaC) Scanning: version 1
  • License Scanning: version 3
  • Secret Detection: version 3
  • Static Application Security Testing (SAST): version 2 of all analyzers, except gosec which is currently at version 3
    • bandit: version 2
    • brakeman: version 2
    • eslint: version 2
    • flawfinder: version 2
    • gosec: version 3
    • kubesec: version 2
    • mobsf: version 2
    • nodejs-scan: version 2
    • phpcs-security-audit: version 2
    • pmd-apex: version 2
    • security-code-scan: version 2
    • semgrep: version 2
    • sobelow: version 2
    • spotbugs: version 2

If you are not using the default inclusion templates, or have pinned your analyzer version(s) you will need to update your CI/CD job definition to either remove the pinned version or to update the latest major version.

Blog post announcement published on 2022-04-18: https://about.gitlab.com/blog/2022/04/18/gitlab-releases-15-breaking-changes/#secure-and-protect-analyzer-major-version-update

Change and deprecation scheduled for 15.0.0. (2022-05-22)

Status / What actions have been taken so far

What impact will this have on users?

Users with customized configuration of GitLab Secure scanner jobs (pinned scanner image version, job overrides, etc.) will no longer recieve updates.

In a worst case scenario, pipelines may fail for Secure scanner jobs with customizations.

Fix

Either update your CI/CD job definition to remove the pinned version, or to update to the latest major version.

Do users need to be contacted?

  • No

Anticipated Support Impact

  • No impact for customers not using Secure/Protect scanners
  • Medium impact for customers with customized configuration of GitLab secure scanner jobs (pinned scanner image version, scanner job overrides, etc.)

Timeline / Important Dates

15.0 release date - May 22nd.

Who should Support go to with questions and approvals for communications/action items?

  • Static Analysis Support Counterpart: @greg

Slack Channel

  • #g_secure-static-analysis

Related Issues/MRs/Epics

Support Resources

DRI from Support

@greg

FAQs for Support

Other Public Resources

Edited by Greg Myers