Move Code Quality category back to Static Analysis
Summary and reasoning
This MR moves the Code Quality category back to Static Analysis.
A brief history:
- This category was previously in Static Analysis as of 2021 or earlier. Before then, it was in Pipeline Insights.
- It was moved to the new Secret Detection group in February 2024 (see !133169 (merged)) when we split the Secret Detection group out from Static Analysis. The group has largely not been able to invest in CQ, but the PM for Secret Detection has often been brought into customer discussions to explain why this is the case.
- Since then, the Static Analysis group has grown (including via the Oxeye acquisition).
We propose to move CQ back to Static Analysis because:
- Code Quality and SAST are philosophically similar. For example:
- They use much of the same underlying technology.
- Users follow the same basic workflow to understand and fix findings.
- Many tools use the same formats, like SARIF, to report results.
- By comparison, Secret Detection and CQ are not intrinsically related.
- SAST and CQ are presented the same way in the merge request (a feature previously developed by groupstatic analysis).
- The SD group has growing responsibilities for new features like push protection.
- We believe that alignment between SAST and CQ will be a more promising path that resolves longstanding customer complaints with CQ.
Process/approvals
Approvals
Merge requests with changes to stages and groups and significant changes to categories need to be created, approved, and/or merged by each of the below:
-
Chief Product Officer @david
(post MR link in chief-product-officer once all others have approved and tagGena Schwam
in slack)@gschwam
for triage on behalf of David -
PLT Leader relevant to the affected Section(s) @hbenson -
The Product Director relevant to the affected Section(s) - @sarahwaldner -
The Engineering Director relevant to the affected Section(s) - equivalent is @twoodham -
Director of Product Design @vkarnes
Note: Chief Product Officer approval should be requested once all other approvals have been completed. To request approval, post the MR link in the #chief-product-officer channel tagging @david
and cc'ing @Gena Schwam
.
The following people need to be on the merge request so they stay informed:
-
Chief Technology Officer @sabrinafarmer -
Development Leader relevant to the affected Section(s) @bmarnane -
VP of Infrastructure & Quality Engineering @meks -
VP of UX @ampesta -
Director of Technical Writing @susantacker -
Engineering Productivity (by @ mentioning @gl-quality/eng-prod) -
The Product Marketing Manager relevant to the stage group(s) (FYI @dsteer)
After Approvals and Merge
-
Create an issue in the gitlab-org/quality/triage-ops
project to update GitLab Bot automation:- for Category change
- for Stage or Group change
- If label migration is required, please follow the self-serve instructions to get started on a one-off label migration MR
- @connorgilbert filed Category move: Code Quality moving back to Stat... (gitlab-org/quality/triage-ops#1561 - closed) • Unassigned
-
Rename Slack channels to reflect the new category/stage/group name - N/A
-
Open an MR in the gitlab-org/gitlab
project to update any reference of the previous group label to the new one- @connorgilbert: There don't appear to be any changes required.
-
Mention the product group Technical Writer to update the documentation metadata -
Share MR in #product
,#development
,#g_engineering_analytics
and relevant#s_
,#g_
, and#f_
Slack channels- Shared in #product, #development, #s_secure, #sec-section, #g_secure-static-analysis.
- Note: g_engineering_analytics does not exist
-
Review direction pages, groups, projects, epics, issues, templates and documentation to ensure the name change is applied consistently -
(for group change only) Update the event and metric definitions belonging to the group by following this guide -
@connorgilbert: There do not appear to be any metrics associated with
secret_detection
that need to be changed; allsecret_detection
metrics appear to be properly for the Secret Detection category.
-
@connorgilbert: There do not appear to be any metrics associated with
Edited by Connor Gilbert