Run Dependency, SAST, and Secret Detection Security Scanning within Developers IDE
Note to wider-community, sales, support and customer success
As always we welcome contributions so feel free to ask questions the PM of Composition Analysis if you are unsure about what needs to be done here and want to contribute the fix yourself!
NOTE if you are a user who also would like to see this feature, please UPVOTE
If you are a team member commenting on behalf of a user (not ideal, as you can only upvote once!) Please remember to upvote and include as much information (what they are trying to solve for, their setup) as possible in addition to a salesforce or zendesk link.
Release notes
Problem to solve
As a developer, it would be easier to be able to run security scans within my preferred IDE (VisualStudio, Sublime, or Atom) so that I can get the security outputs directly without the need to commit to code to the feature/default branch, which would enable developers to proactively find and fix both security weaknesses in proprietary code and known vulnerabilities in open source dependencies simultaneously, without the need to commit the code or switching to GitLab portal for security outputs.
Intended users
User experience goal
The user should be able to run security scanning from within the preferred IDE, before committing the code to their branch, so that there would be no context switching between the IDE and GitLab portal.
Proposal
Make Dependency, Secret Detection, and SAST scanning available as a plugin within the IDE.
Note that some users may specifically want to execute scans locally while others may derive value from surfacing existing vulnerability findings already found in CI/CD in their IDE. Showing existing findings would not require work to run the actual scanners on developer workstations.
Further details
Another observation from a customer today: the CI based scanning goes against CI minutes, so they believe doing a warm scanning at the IDE level saves money in the long run.
Permissions and Security
Documentation
Availability & Testing
Available Tier
Ultimate
What does success look like, and how can we measure that?
Be able to access dependency and SAST scanning tests within the IDE before committing the code and without switching to GitLab portal.
What is the type of buyer?
Is this a cross-stage feature?
Yes, as the Editor Extension is maintained by groupcode review and relevant security scanners are maintained by groupstatic analysis, groupcomposition analysis, and ~"group::container security".
Links / references
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.