13.10 Planning - Static Analysis

🔒 Secure, Static Analysis - Kickoff Videos

Assess your applications and services by scanning your source code for vulnerabilities and weaknesses.

devopssecure groupstatic analysis @gitlab-org/secure/static-analysis-be

Category Direction Maturity Priority
Category:SAST Epic / Strategy maturityviable ~P1
Category:Secret Detection Epic / Strategy maturityviable ~P2
Category:Malware Scanning Epic / Strategy TBD maturityplanned ~P4

Helpful Links 🔗

Themes

🆕 Evaluate replacing SAST Analyzers with Semgrep:

We are exploring a transition away from various linter analyzers to unify around Semgrep for streamlined updates, rules, and simplification. This work will begin with a technical discovery.

Working on Major Deprecations / Removals upcoming within 14.0.

🏷 Taggr: Improved Vulnerability tracking.

We are working to test a new vulnerability research project that improves our vulnerability tracking algorithm against real world data. Should this exploration be successful we will replace our existing tracking method in a future release.

👥 Community MR Coach

community MR Coach to have a dedicated resource to focus on:

  • community contributions to static scanners
  • handle customer escalations/bugs
  • contributions to upstream OSS projects we depend on

Community MR Coach for this release: @ssarka

Outcomes

Release Post Candidates

Issue Notes Release Post
Repost of 13.9 deprecations No changes in content gitlab-com/www-gitlab-com!77542 (closed)
Changed deprecation for pinned minor version of analyzers. Replaces previous planned pin to minor gitlab-com/www-gitlab-com!77550 (closed)
Bundle of Analyzer updates releaesd during 13.10 Various analyzer updates gitlab-com/www-gitlab-com!77553 (closed)

Feedback

Edited by Taylor McCaslin