14.9 Planning - Static Analysis
🔒 Secure, Static Analysis - Kickoff Videos
Assess your applications and services by scanning your source code for vulnerabilities and weaknesses.
devopssecure groupstatic analysis @gitlab-org/secure/static-analysis-be
| Category | Direction | Maturity | Priority |
|---|---|---|---|
| Category:SAST | Epic / Strategy | maturitycomplete | ~P1 |
| Category:Secret Detection | Epic / Strategy | maturityviable | ~P2 |
| Category:Code Quality | Epic TBD / Strategy | maturityminimal | ~P3 |
Themes
♻ Continue working toward analyzer deprecations
We should work to complete all deprecations announced in %14.8 as early as possible, except for the items that need to be completed specifically in the %15.0 milestone. See 15.0 Deprecations and Removals Work - Static An... (&7201 - closed) for details. Engineering Team: @gitlab-org/secure/static-analysis-be
Specifically—
- We're starting to think we can take on Enable new analyzers to take over reporting for... (&6440 - closed) and thereby deprecate ESLint, Gosec, and Bandit in %15.0, while paving the way to deprecate and remove the rest of the rules as well.
- DRI: @theoretick
- Explore Back End Solutions: @rossfuhrman
- Explore Front End Solutions: @jannik_lehmann
- We may be able to make a material impact on user experience and Support by targeting an additional Semgrep migration for Java: Migrate Java SAST coverage from SpotBugs to Sem... (#352666 - closed)
- Engineering Team: @vbhat161
🔎 Customer issues
Let's try to get a handle on issues, whether or not we can resolve all of them. It's important to demonstrate that we hear our users and internal stakeholders!
Secret Detection
If not yet resolved, we should look into recent issues, which seem to have increased lately:
- Secrets detection fails when default branch has... (#352014 - closed)
- Secret Detection Job in SAST failing due to uns... (#351976 - closed)
If this is already mitigated, we can skip this.
Engineering Team: @zrice
IaC Scanning
We're in a place where IaC Scanning is new and people are giving it a first try. In order to improve our first impression and show agility, it would be ideal to address some functional issues, in rough priority order:
- Severity and description fields not captured wh... (#349141 - closed)
- kics IaC scanner fails to run: open /tmp/kics.s... (#351711 - closed)
- Would like to be able to ignore folders in KICS (#352589)
-
IaC Scanning should differentiate better betwee... (#351424) and Disable secret detection in KICS SAST IAC scanner (#346181 - closed)
- @connorgilbert is happy to review the rulesets and propose what is in/out
- IaC SAST job is hard to use because of its base... (#350417 - closed)
- SAST IaC always shows as not enabled in UI (#350307 - closed)
OpenShift
We may be able to crib from existing fix for Dependency Scanning. If we can get that done, we'll resolve a customer issue and better support OpenShift overall, which is a long-running issue.
Analyzers bug with Custom CA on OpenShift inval... (#350625 - closed)
⏸ Monthly Analyzer Updates Issue ⚙
We have over a dozen analyzers that need to be maintained, these analyzers are checked and updated every month.
- General Updates
- Engineering team: @gitlab-org/secure/static-analysis-be
🚒 Engineering Allocation 10% floor - empower every SWEs from raising reliability and security issues
📚 Documentation priorities
New content
Pending
Maintenance
Anticipated release posts
Pending
Outcomes
Release Post Candidates
Release post MRs for this milestone
Feedback
Helpful Links 🔗
- How we work
- Slack channel: #g_secure-static-analysis
- Static Analysis Group UX issues
- Issue boards - overview of all workflow stages
- Delivery Workflow Board - focused on development
- Planning Board - focused on pre-development
- Static Analysis Metrics
- SAST Analyzer job performance metrics
- 14.9 release issue