Standardize Security Analyzers Logging

Problem to solve

There is a lack of control over logging and a lack of convention for our Security Analyzers.

Intended users

Persona: Software developer

Tasks

gitlab-org/security-products/analyzers/common!73 (merged) has an example of how to use the common logrus format.

• Document SECURE_LOG_LEVEL in GitLab docs.

  • https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html
  • https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html
  • https://docs.gitlab.com/ee/user/application_security/sast/index.html
  • https://docs.gitlab.com/ee/user/application_security/secret_detection/index.html

• Update https://docs.gitlab.com/ee/development/integrations/secure.html to mention how to use logrus / common logrus format.

• Replace fmt print and log calls with the appropriate logrus calls in common.

• Add support for the SECURE_LOG_LEVEL env var in common.

• (Static Analysis) replace fmt print and log calls with the appropriate logrus calls in:

  • bandit
  • brakeman
  • eslint
  • flawfinder
  • gosec
  • kubesec
  • nodejs-scan
  • phpcs-security-audit
  • pmd-apex
  • secrets
  • security-code-scan
  • sobelow
  • spotbugs
  • tslint

• (Dependency Scanning) replace fmt print and log calls with the appropriate logrus calls in:

  • bundler-audit
  • gemnasium-maven
  • gemnasium-python
  • gemnasium
  • retire.js

• Update klar to use the common logutil for setting the formatter

What does success look like, and how can we measure that?

• All output is configurable via logrus
• fmt is no longer used to output messages
• There is a convention documented for the developer of Security Products and it's executed for any new Security Product project created

What is the type of buyer?

• GitLab Ultimate users
• users of the Security Products in their standalone form (as Docker images)

Links / references

Started as a side-talk within #9592 (closed)