Update Engineering workflow to include Security Checks
As we now have Security Reports available at the MR level, we have everything to get started with DevSecOps in our SDLC. Following today's discussion with BackEnd teams, the security reports are generally ignored by developers, reviewers, and maintainers. We (the Security Products team) don't want to enforce these checks by blocking the pipeline (see our handbook section on the security paradigm). Instead, we want the security effort to come from the Team itself. The only way to make this happen is to update the Engineering workflow, and start making everyone contributing "security-aware". To educate the contributors, we must improve the tools we're providing, especially with more data (https://gitlab.com/gitlab-org/gitlab-ee/issues/5043 and related issues).
-
Update Engineering workflow in the handbook: https://about.gitlab.com/handbook/engineering/workflow/ -
Fix amgibuity with Security Issues: https://about.gitlab.com/handbook/engineering/workflow/#security-issues -
Update Code Review Guidelines: https://docs.gitlab.com/ee/development/code_review.html -
Update the merge requests templates in settings to add a checkbox * [ ] Security reports checked/validated by reviewer
-
GitLab-EE -
GitLab-CE
-
-
Announce the changes in the next Team call -
Announce the changes in the Engineering Week-in-Review
I think we should also add a note to include the Security team in discussions if needed. Apparently, there's currently no GitLab alias for that, @kathyw?
/cc @dhavens @bikebilly