13.10 Planning - Static Analysis
🔒 Secure, Static Analysis - Kickoff Videos
Assess your applications and services by scanning your source code for vulnerabilities and weaknesses.
devopssecure groupstatic analysis @gitlab-org/secure/static-analysis-be
Category | Direction | Maturity | Priority |
---|---|---|---|
Category:SAST | Epic / Strategy | maturityviable | ~P1 |
Category:Secret Detection | Epic / Strategy | maturityviable | ~P2 |
Category:Malware Scanning | Epic / Strategy TBD | maturityplanned | ~P4 |
🔗
Helpful Links - How we work
- Slack channel: #g_secure-static-analysis
- Static Group UX issues
- Issue boards - overview of all workflow stages
- Delivery Workflow Board - focused on development
- Planning Board - focused on pre-development
- Static Analysis Metrics
- 13.10 release issue
Themes
🆕 Evaluate replacing SAST Analyzers with Semgrep:
We are exploring a transition away from various linter analyzers to unify around Semgrep for streamlined updates, rules, and simplification. This work will begin with a technical discovery.
- Finish overflow from %13.9: &5245 (closed)
- JavaScript, TypeScript, and React.js support: &5440 (closed)
- Engineering team: @dsearles, @zrice
♻ Working on Major Deprecations / Removals upcoming within 14.0.
- Epic for work: &5408 (closed)
- Engineering team: @twoodham, @theoretick, @rossfuhrman, @ssarka, @zrice, @dsearles
- See planned deprecations (13.10) and removals (14.0): #273620 (closed)
-
#232660 (closed) -
#229974 (closed) -
#297269 (closed) -
#301215 (closed) -
#301216 (closed)
🏷 Taggr: Improved Vulnerability tracking.
We are working to test a new vulnerability research project that improves our vulnerability tracking algorithm against real world data. Should this exploration be successful we will replace our existing tracking method in a future release.
- Improved Vulnerability Tracking - &5144
- Engineering team: @theoretick, @rossfuhrman
👥 Community MR Coach
community MR Coach to have a dedicated resource to focus on:
- community contributions to static scanners
- handle customer escalations/bugs
- contributions to upstream OSS projects we depend on
Community MR Coach for this release: @ssarka
- Slack time projects:
Outcomes
Release Post Candidates
Issue | Notes | Release Post |
---|---|---|
Repost of 13.9 deprecations | No changes in content | gitlab-com/www-gitlab-com!77542 (closed) |
Changed deprecation for pinned minor version of analyzers. | Replaces previous planned pin to minor | gitlab-com/www-gitlab-com!77550 (closed) |
Bundle of Analyzer updates releaesd during 13.10 | Various analyzer updates | gitlab-com/www-gitlab-com!77553 (closed) |
Feedback
Edited by Taylor McCaslin