Blog post: How to tailor SAST and secret detection to your application context with custom rulesets

Triage (REQUIRED)

Please note that there is a different process for when you want to announce something via the blog. Please see announcement requests in the handbook and open an announcement request issue instead of a blog post issue.

Generally speaking, engineering blog posts that are tutorials/how-tos or which share how we built or debugged something, are popular with our audience. If your proposed blog post is aligned with our Attributes of a successful blog post guidelines, you can skip straight to your proposal.

If you are pitching something outside of those guidelines, please fill in the below to help us prioritize. You can check out examples of high- and low-performing blog posts to help with your rationale.

This issue fulfills one of these goals:

  • Drive traffic to our website
  • Convert traffic into leads
  • Thought leadership/share expertise
  • Build relationships with potential customers
  • Drive long-term results (please explain below in your proposal)
  • Announcement
    • Link to announcement request issue (required, see https://about.gitlab.com/handbook/marketing/corporate-marketing/#requests-for-announcements)
  • Cross-functional support
    • Link to OKR (required if this box is checked)

Proposal

In rule-pack synthesis using rules from multiple sources we extended the capabilities of custom-rulesets to support the generation of a custom configuration by combining data from multiple sources which makes it possible to adapt SAST and secret detection to particular use-cases for example by eliminating findings provided by our own rule-set or even the integration of entirely new security configurations.

In this blog post, we would like to showcase how this feature can be used to refine security analysis by preventively eliminate FPs with contextual knowledge of the program under analysis (e.g., microservice cli tool vs. web-based app) and how to incorporate entirely new rules/configuration if the ones shipped by us are insufficient. In addition we demonstrate how custom-configuration can be easily managed by storing custom-configuration in a separate Git repository.

This is the MR that documents this feature.

Roles and Responsibilities

Person Role
@jthome requester
@jthome @theoretick @tmccaslin editor
@person approver (optional)

Checklist

  • If you have a specific publish date in mind (please allow 3 weeks' lead time)
    • Include it in the issue title and apply the appropriate marketing milestone (e.g. Mktg: 2021-03-28)
    • Give the issue a due date of a minimum of 2 working days prior
    • If your post is likely to be >2,000 words, give a due date of a minimum of 4 working days prior
  • If time sensitive
    • Add ~"Blog: Priority" label and supplied rationale in description
  • If wide-spread customer impacting or sensitive, mention @nwoods to give her a heads up ASAP, apply the sensitive label, and check the PR handbook in case you need to open an announcement request instead of a blog post issue
  • If the post is about one of GitLab's Technology Partners, including integration partners, mention @dpduncan, apply the Partner Marketing label, and see the blog handbook for more on third-party posts
  • If the post is about one of GitLab's customers, mention @FionaOKeeffe, apply the Customer Reference Program label, and see the blog handbook for more on third-party posts
  • Indicate if supporting an event or campaign
  • Indicate if this post requires additional approval from internal or external parties before publishing (please provide details in a comment)

Production

  • Requestor to complete issue template (Triage, Proposal, Roles and Responsibilities, Checklist )
  • Issue sent through triage for consideration (pitch, planning/in progress, review, scheduled)
  • Issue assigned to requestor to draft blog post and open MR
  • MR created and linked to issue - issue is now deprecated in favor of MR and will close once MR is complete
Edited by Julian Thome