WIP: Establish Static Analysis Group Direction
Establish Static Analysis Group Direction: https://about.gitlab.com/direction/secure/static-analysis/
We need to establish alignment around how the Static Analysis group want to achieve the Secure Stage Vision and have a framework for how we think about problems. This issue is intended to hold discussion as @tmccaslin solidifies a plan for the Static Analysis Group
Static Analysis - Assess your applications and services by scanning your source code for vulnerabilities and weaknesses.
Static Application Security Testing (SAST)- direction - #205387
Secret Detection- direction - #205388
Malware & Virus DetectionSoon - #198276
Some strategic pillars I'm considering as overarching themes for our categories:
- How do we protect the most repos from the most common security issues (opportunity for impact)
- How do we choose the least invasive default option for the appropriate level of risk (don’t break the build unless it’s critical)
- Enable configuration and advanced capabilities (ML?) for advanced users (power and flexibility)
- Enable workflows to ensure the appropriate attention on issues and allowing them to be tracked overtime. (trust and tracking)
- Provide integration points (for us internally, but also for external integrators) enabling integrations (be an ecosystem player)
Feedback is welcome. These strategic pillars should be "obvious" and easy to understand, they should not be controversial. If you think they are wrong or misaligned please share your thoughts in a comment.
Within each of these strategic pillars there will be features in various stages of development that help us achieve our group vision.