14.0 Planning - Static Analysis
🔒 Secure, Static Analysis - Kickoff Videos
Assess your applications and services by scanning your source code for vulnerabilities and weaknesses.
devopssecure groupstatic analysis @gitlab-org/secure/static-analysis-be
Category | Direction | Maturity | Priority |
---|---|---|---|
Category:SAST | Epic / Strategy | maturityviable | ~P1 |
Category:Secret Detection | Epic / Strategy | maturityviable | ~P2 |
Category:Code Quality | [TBD / Strategy | maturityminimal | ~P3 |
🔗
Helpful Links - How we work
- Slack channel: #g_secure-static-analysis
- Static Group UX issues
- Issue boards - overview of all workflow stages
- Delivery Workflow Board - focused on development
- Planning Board - focused on pre-development
- Static Analysis Metrics
- SAST Analyzer job performance metrics
- 14.0 release issue
Themes
♻ 14.0 Removals
- Epic for work: &5408 (closed)
- Engineering team: @gitlab-org/secure/static-analysis-be
- See planned removals: gitlab-com/www-gitlab-com!81637 (merged)
👛 Error budgets -> update reporting.
We should audit our codebase to ensure the controller actions are assigned to the right feature category. &5992
- Engineering team: @rossfuhrman, @ssarka
🎯 Tech Discovery: Distroless analyzers.
The goal of this spike is to determine whether or not building the Brakeman image from a distroless base works easily or whether additional development work is required. &6069 (closed)
🏷 Taggr: Improved Vulnerability tracking.
We are working to test a new vulnerability research project that improves our vulnerability tracking algorithm against real world data. Should this exploration be successful we will replace our existing tracking method in a future release.
- Improved Vulnerability Tracking - &5144
- Progressive enablement of Feature flag on gitlab.com - #322044 (closed)
- Continue taggr roll-out to gosec, and enable on secure tools
- Continue addressing performance/import issues for rails/brakeman implementation
- Start implementation for semgroup
- Engineering team: @rossfuhrman, @ssarka
🔍 VET - Next Generation Proprietary SAST Engine
GitLab VR & SAST have a proof of concept next gen SAST engine. We want to start implementing this focused on reducing false positives. We'll initially be focused on languages that GitLab uses to enable us to dogfood this new engine. https://gitlab.com/groups/gitlab-org/-/epics/4504
⚙ Monthly Analyzer Updates
We have over a dozen analyzers that need to be maintained, these analyzers are checked and updated every month.
- General Updates
- Engineering team: @gitlab-org/secure/static-analysis-be
👥 Community MR Coach
community MR Coach to have a dedicated resource to focus on:
- community contributions to static scanners
- handle customer escalations/bugs
- contributions to upstream OSS projects we depend on
Community MR Coach for this release: @theoretick