Elevate security scanner rules from analyzers and put them into the GitLab UI

Problem to solve

We currently rely on third-party, OSS scanners to execute security scans in SAST. These scanners each have their own rules, which are updated and extended by updating the scanners themselves. While this creates a compelling reason to keep the scanners up to date, customers have no visibility into what the scanners can detect or how they map to vulnerabilities which we can detect.

It would be ideal if we could bring the detection rules out of the analyzers and into the UI. If we do that, we could enable customers to control which rules are executed.

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Sam (Security Analyst)

Further details

• Allow customers to control which rules are executed.
• Show how rules map to CVEs and other items which can be detected.
• Shows what we cannot detect, thus highlighting needs for further research and development.
• With time, can provide metrics including the false positive, true positive rates for each rule.

Proposal

There could be a number of user journeys, but I'll highlight one to start.

1. Sam navigates to the Security dashboard and discovers a number of new findings.
2. Sam clicks on a finding to unpack what was found and discern the level of risk involved with the finding.
3. Sam isn't sure about the efficacy of the finding and thinks it may be a false positive discovery. It's noted there's a link for the rule, which is clicked.
4. Sam sees a modal pop up describing the rule and what it could discover. There's a button to toggle the rule on/off.
5. To double-check things, Sam navigates to a rule list view available within the navigation.
6. Sam browses to the rule in question and notes the ability to turn it back on.

Permissions and Security

Documentation

Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Links / references