Deprecating SAST_ANALYZER_IMAGE_TAG

Release post content

With the maturity of GitLab Secure scanning tools, we've needed to add more granularity into our release process. Prior to this release GitLab shared a major version number for all our analyzers and tools. This required all tools to share a major version and prevented the use of semantic version numbering. Beginning in 13.10 GitLab SAST will deprecate the SAST_ANALYZER_IMAGE_TAG in our managed SAST.gitlab-ci.yml CI template in favor of major.minor tags for each analyzer. If you override or maintain custom versions of SAST.gitlab-ci.yml you will want to update your CI templates to stop referencing SAST_ANALYZER_IMAGE_TAG. We strongly encourage inheriting and overriding our managed CI templates to future proof your CI templates. This change will allow you to instead override with a pinned major.minor version to more granular control future analyzer updates. We will remove SAST_ANALYZER_IMAGE_TAG with GitLab 14.0, releasing May 22, 2021.

Problem to solve

GitLab's Secure scanning tools have continued to mature, necessitating our need to add more granularity into our release process. Prior to this release GitLab shared a major version number for all analyzers and tools used in SAST. While this approach provides simplicity for customers, it introduces an unintended coupling between analyzer projects. In short, having one variable to declare the version of analyzers to be utilized forces us to keep the analyzer versions synced rather than allowing the analyzers to be versioned naturally according to new features being introduced over time. We need to undo this coupling.

Proposal

  • Add SAST_ANALYZER_IMAGE_TAG as a variable in the bandit-sast job. Default its value to 2.
  • Add SAST_ANALYZER_IMAGE_TAG as a variable in the brakeman-sast job. Default its value to 2.
  • Add SAST_ANALYZER_IMAGE_TAG as a variable in the eslint-sast job. Default its value to 2.
  • Add SAST_ANALYZER_IMAGE_TAG as a variable in the flawfinder-sast job. Default its value to 2.
  • Add SAST_ANALYZER_IMAGE_TAG as a variable in the gosec-sast job. Default its value to 2.
  • Add SAST_ANALYZER_IMAGE_TAG as a variable in the kubesec-sast job. Default its value to 2.
  • Add SAST_ANALYZER_IMAGE_TAG as a variable in the mobsf-sast job. Default its value to 2.
  • Add SAST_ANALYZER_IMAGE_TAG as a variable in the nodejs-scan-sast job. Default its value to 2.
  • Add SAST_ANALYZER_IMAGE_TAG as a variable in the phpcs-security-audit-sast job. Default its value to 2.
  • Add SAST_ANALYZER_IMAGE_TAG as a variable in the pmd-apex-sast job. Default its value to 2.
  • Add SAST_ANALYZER_IMAGE_TAG as a variable in the security-code-scan-sast job. Default its value to 2.
  • Add SAST_ANALYZER_IMAGE_TAG as a variable in the semgrep-sast job. Default its value to 2.
  • Add SAST_ANALYZER_IMAGE_TAG as a variable in the sobelow-sast job. Default its value to 2.
  • Add SAST_ANALYZER_IMAGE_TAG as a variable in the spotbugs-sast job. Default its value to 2.
  • Remove SAST_ANALYZER_IMAGE_TAG as a global variable from the SAST vendored template.
Edited by Daniel Paul Searles