14.1 Planning - Static Analysis
🔒 Secure, Static Analysis - Kickoff Videos
Assess your applications and services by scanning your source code for vulnerabilities and weaknesses.
devopssecure groupstatic analysis @gitlab-org/secure/static-analysis-be
Category | Direction | Maturity | Priority |
---|---|---|---|
Category:SAST | Epic / Strategy | maturityviable | ~P1 |
Category:Secret Detection | Epic / Strategy | maturityviable | ~P2 |
Category:Code Quality | [TBD / Strategy | maturityminimal | ~P3 |
🔗
Helpful Links - How we work
- Slack channel: #g_secure-static-analysis
- Static Group UX issues
- Issue boards - overview of all workflow stages
- Delivery Workflow Board - focused on development
- Planning Board - focused on pre-development
- Static Analysis Metrics
- SAST Analyzer job performance metrics
- 14.1 release issue
Themes
🏷 Continued Rollout Taggr: Improved Vulnerability tracking - AST LEADERSHIP (data quality)
GitLab VR & SAST have a proof of concept next gen SAST engine. We want to start implementing this focused on reducing false positives. We'll initially be focused on languages that GitLab uses to enable us to dogfood this new engine.
- Improved Vulnerability Tracking - &5144
- Progressive enablement of Feature flag on gitlab.com - #322044 (closed)
- Port code from Rust to GoLang
- Engineering team: @dsearles, @rossfuhrman
🔍 VET - Next Generation Proprietary SAST Engine - **AST LEADERSHIP (data quality) **
GitLab VR & SAST have a proof of concept next gen SAST engine. We want to start implementing this focused on reducing false positives. We'll initially be focused on languages that GitLab uses to enable us to dogfood this new engine. https://gitlab.com/groups/gitlab-org/-/epics/4504
- Post processing analyzer for reducing FP
- Rails
- Ultimate Feature check & enforcement.
- Stateful import of findings.
- SemVer CI/CD for post-analyzer.
- Benchmark ruby.
- Add post-analyzer to brakeman.
- Review & clean-up code.
- Standardize FE/BE organization.
- Formalize & implement telemetry
- Engineering team: @ssarka, @zrice
Continued Transition to Semgrep - AST LEADERSHIP (data quality)
- Semgrep has recently replaced our JS, TS, and Python analyzers. With the addition of Improved Vuln Tracking to our Semgrep analyzer and remapping of findings, we can remove the Eslint and Bandit jobs. We will also move forward to support more customization options with Semgrep including making it easier to add external community rules from the Semgrep rules repo.
- Epic: &5245
- To be executed after tracking-calculator/taggr rollout.
- Engineering team: @dsearles, @rossfuhrman
🤝 Begin Handover of CodeQuality
Code Quality is moving to Static Analysis. We will start shadowing the ~"group::verify" team as they finish tieing up loose ends in %14.1 and %14.2.
- UX Transition gitlab-design#1614 (closed)
- Engineering Handoff gitlab-com/Product#2563 (closed)
- Engineering team: @theoretick
⚙ Monthly Analyzer Updates Issue
We have over a dozen analyzers that need to be maintained, these analyzers are checked and updated every month.
- General Updates
- Engineering team: @gitlab-org/secure/static-analysis-be