Bring SAST scanners to Core
Promoted to Epic
This issue has been converted to an Epic instead of a single issue. Please review that epic for the latest requirements and current status of moving SAST scanners to Core
Original issue text
Intended users
Overview
GitLab Enterprise Edition includes SAST scanning. We are will move it to Core to fulfill our stewardship promise.
Proposal
Make the first three SAST capabilities listed below available in all tiers, including Core. Note that the bottom three capabilities should remain in GitLab Ultimate only
| Capability | In Core | In Ultimate |
|---|---|---|
| Configure SAST Scanners | Yes | Yes |
| Customize SAST Settings (Overrides, Available Variables, Filters, Timeouts, Settings ) | Yes | Yes |
| View JSON Report | Yes | Yes |
| Presentation of JSON Report in Merge Request | No | Yes |
| Interaction with Vulnerabilities | No | Yes |
| Access to Security Dashboard | No | Yes |
Non-Engineering Tasks
-
Create a dedicated blog post explaining the move - some additional rationale can be found in the private deliberation issue.
Documentation
Update documentation to make the distinction between product tiers clear and what is and is not included in each.
Testing
Perform end-to-end tests with both a Core and a GitLab Ultimate license to ensure that the correct functionality is exposed in each license tier.
What does success look like, and how can we measure that?
Number of SAST scans done in the first 30 days after moving this to Core. Target => 300% of scans done in previous 30 days.
- This will demonstrate that more users are able to successfully use the SAST scanning in Core.
What is the type of buyer?
GitLab Core
Open Questions
-
Do we start with all languages? If not, which languages specifically do we start with?
Links / references
/label feature