Global Changelog for Secure Analyzers
Release notes
Analyzers get updated "under the hood" by pushing and replacing major versions of Docker images. These updates should be backward compatible by definition (otherwise we bump the major version). It's a convenient way to stay up-to-date especially with security rules/definitions, but it's hard to follow the changes occurring. Every analyzer has a dedicated changelog, but that's a log of files to monitor (ex: https://gitlab.com/gitlab-org/security-products/analyzers/sobelow/-/blob/master/CHANGELOG.md), and not everyone is aware of their existence or location.
Problem to solve
Facilitate the tracking of changes in analyzers.
Intended users
- Cameron (Compliance Manager)
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sam (Security Analyst)
User experience goal
The user should have a single place to look for changes in analyzers.
Proposal
We could gather all the changelog files, cross-link with the projects releases to order by date, and generate a full list with dates.
Further details
TBD
Permissions and Security
-
Add expected impact to members with no access (0) -
Add expected impact to Guest (10) members -
Add expected impact to Reporter (20) members -
Add expected impact to Developer (30) members -
Add expected impact to Maintainer (40) members -
Add expected impact to Owner (50) members
Documentation
Add link to https://docs.gitlab.com/ee/user/application_security/
Availability & Testing
What does success look like, and how can we measure that?
What is the type of buyer?
Is this a cross-stage feature?
Yes, all Secure.