Standardize Security Analyzers Logging
Problem to solve
There is a lack of control over logging and a lack of convention for our Security Analyzers.
Intended users
Tasks
gitlab-org/security-products/analyzers/common!73 (merged) has an example of how to use the common logrus format.
-
Document
SECURE_LOG_LEVELin GitLab docs.- https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html
- https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html
- https://docs.gitlab.com/ee/user/application_security/sast/index.html
- https://docs.gitlab.com/ee/user/application_security/secret_detection/index.html
-
Update https://docs.gitlab.com/ee/development/integrations/secure.html to mention how to use logrus / common logrus format.
-
Replace fmt print and log calls with the appropriate logrus calls in common.
-
Add support for the
SECURE_LOG_LEVELenv var in common. -
(Static Analysis) replace fmt print and log calls with the appropriate logrus calls in:
-
(Dependency Scanning) replace fmt print and log calls with the appropriate logrus calls in:
-
Update klar to use the common logutil for setting the formatter
What does success look like, and how can we measure that?
- All output is configurable via logrus
-
fmtis no longer used to output messages - There is a convention documented for the developer of Security Products and it's executed for any new Security Product project created
What is the type of buyer?
- GitLab Ultimate users
- users of the Security Products in their standalone form (as Docker images)
Links / references
Started as a side-talk within #9592 (closed)