Move secret detection into its own vendored template (#207990) · Issues · GitLab.org / GitLab

Move secret detection into its own vendored template

Problem to solve

As it stands today, secrets detection is enabled as part of the SAST vendored template. However, secret detection is a separate feature category and has an emerging roadmap. Keeping these two features coupled through the vendored template will be a limiting factor and we should move secret detection into its own vendored template sooner rather than later.

Intended users

Further details

Proposal

Create a new vendored template dedicated to the secret detection feature category.
Remove Secret Detection from the SAST vendored template.
Create a new report type for secret detection
Add Secret Detection vendored template to the AutoDevops Template
Check how telemetry/usage ping works for tracking Security job usage and ensure it tracks this new secret template

Permissions and Security

Documentation

New page likely at https://docs.gitlab.com/ee/user/application_security/secret_detection
Move content from existing section to this page
I expect we'll want to make edits that talk about the vendored template, and generally about how secret detection works.

Availability & Testing

This is a breaking change. Previous users of the SAST vendored template will no longer get Secret Detection from that one include.
Integration tests need to be updated.

What does success look like, and how can we measure that?

What is the type of buyer?

Links / references

### Problem to solve

### Intended users

* [Rachel (Release Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#rachel-release-manager)
* [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#delaney-development-team-lead)
* [Sasha (Software Developer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sasha-software-developer)
* [Devon (DevOps Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#devon-devops-engineer)
* [Sidney (Systems Administrator)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sidney-systems-administrator)
* [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst)

### Further details

### Proposal

* Create a new vendored template dedicated to the secret detection feature category.
* Remove Secret Detection from the SAST vendored template.
* Create a new report type for secret detection
* Add Secret Detection vendored template to the AutoDevops Template 
* Check how telemetry/usage ping works for tracking Security job usage and ensure it tracks this new secret template

### Permissions and Security

### Documentation

* New page likely at https://docs.gitlab.com/ee/user/application_security/secret_detection
* Move content from [existing section](https://docs.gitlab.com/ee/user/application_security/sast/#secret-detection) to this page
* I expect we'll want to make edits that talk about the vendored template, and generally about how secret detection works.

### Availability & Testing

<!-- This section needs to be retained and filled in during the workflow planning breakdown phase of this feature proposal, if not earlier.

What risks does this change pose to our availability? How might it affect the quality of the product? What additional test coverage or changes to tests will be needed? Will it require cross-browser testing?

Please list the test areas (unit, integration and end-to-end) that needs to be added or updated to ensure that this feature will work as intended. Please use the list below as guidance.
* Unit test changes
* Integration test changes
* End-to-end test change

See the test engineering planning process and reach out to your counterpart Software Engineer in Test for assistance: https://about.gitlab.com/handbook/engineering/quality/test-engineering/#test-planning -->

* This is a breaking change. Previous users of the SAST vendored template will no longer get Secret Detection from that one include.
* Integration tests need to be updated.

### What does success look like, and how can we measure that?

### What is the type of buyer?

### Links / references

Edited May 07, 2020 by Taylor McCaslin

Discussion
Designs