Standardize Security Analyzers Logging
Problem to solve
There is a lack of control over logging and a lack of convention for our Security Analyzers.
Intended users
Tasks
gitlab-org/security-products/analyzers/common!73 (merged) has an example of how to use the common logrus format.
-
Document SECURE_LOG_LEVEL
in GitLab docs.-
https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html -
https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html -
https://docs.gitlab.com/ee/user/application_security/sast/index.html -
https://docs.gitlab.com/ee/user/application_security/secret_detection/index.html
-
-
Update https://docs.gitlab.com/ee/development/integrations/secure.html to mention how to use logrus / common logrus format. -
Replace fmt print and log calls with the appropriate logrus calls in common. -
Add support for the SECURE_LOG_LEVEL
env var in common. -
(Static Analysis) replace fmt print and log calls with the appropriate logrus calls in: -
(Dependency Scanning) replace fmt print and log calls with the appropriate logrus calls in: -
Update klar to use the common logutil for setting the formatter
What does success look like, and how can we measure that?
- All output is configurable via logrus
-
fmt
is no longer used to output messages - There is a convention documented for the developer of Security Products and it's executed for any new Security Product project created
What is the type of buyer?
- GitLab Ultimate users
- users of the Security Products in their standalone form (as Docker images)
Links / references
Started as a side-talk within #9592 (closed)