Skip to content
GitLab
Next
    • Why GitLab
    • Pricing
    • Contact Sales
    • Explore
  • Why GitLab
  • Pricing
  • Contact Sales
  • Explore
  • Sign in
  • Get free trial
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #10880

Standardize Security Analyzers Logging

Problem to solve

There is a lack of control over logging and a lack of convention for our Security Analyzers.

Intended users

Persona: Software developer

Tasks

gitlab-org/security-products/analyzers/common!73 (merged) has an example of how to use the common logrus format.

  • Document SECURE_LOG_LEVEL in GitLab docs.

    • https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html
    • https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html
    • https://docs.gitlab.com/ee/user/application_security/sast/index.html
    • https://docs.gitlab.com/ee/user/application_security/secret_detection/index.html
  • Update https://docs.gitlab.com/ee/development/integrations/secure.html to mention how to use logrus / common logrus format.

  • Replace fmt print and log calls with the appropriate logrus calls in common.

  • Add support for the SECURE_LOG_LEVEL env var in common.

  • (Static Analysis) replace fmt print and log calls with the appropriate logrus calls in:

    • bandit
    • brakeman
    • eslint
    • flawfinder
    • gosec
    • kubesec
    • nodejs-scan
    • phpcs-security-audit
    • pmd-apex
    • secrets
    • security-code-scan
    • sobelow
    • spotbugs
    • tslint
  • (Dependency Scanning) replace fmt print and log calls with the appropriate logrus calls in:

    • bundler-audit
    • gemnasium-maven
    • gemnasium-python
    • gemnasium
    • retire.js
  • Update klar to use the common logutil for setting the formatter

What does success look like, and how can we measure that?

  • All output is configurable via logrus
  • fmt is no longer used to output messages
  • There is a convention documented for the developer of Security Products and it's executed for any new Security Product project created

What is the type of buyer?

  • GitLab Ultimate users
  • users of the Security Products in their standalone form (as Docker images)

Links / references

Started as a side-talk within #9592 (closed)

Edited Jul 07, 2020 by Daniel Paul Searles
Assignee
Assign to
Time tracking