Documentation for security tools maintenance and vulnerabilities DB update
Problem to solve
We see rising needs (both internal and external) to know more about our features abilities and behaviours. There are existing docs in the main GitLab docs for each feature but we still miss some more specific content like:
- How often do we update the vulnerability DB or analyzers?
- Do we have to update GitLab to benefit from latest vulnerabilities definitions
Unfortunately these questions might have multiple answers depending on the type of analysis (SAST, DS, CS , DAST) and the underlying scanner that will be executed depending on the context (language, framework, package manager).
This implies a breakdown per report scanner. We started to document the SAST analyzers but we need a better place with more visibility. It's probably time to bring that to the main documentation and improve it to address additional concerns.
I think this could also help the community to get involved in the development of these scanners.
Proposal
To Be Confirmed/Improved
For each type of reports we should expend the underlying scanners specificities.
This should help showing clearly which scanner will report for a given language, framework, package manager, etc.. and what are the specs of this particular scanner.
The goal is to allow users to quickly know about what matters for their projects.
Who can address the issue
~Secure ~Documentation