15.0 Planning - Static Analysis
🔒 Secure, Static Analysis - Milestone Planning
devopssecure groupstatic analysis
| Category | Direction | Maturity | Priority |
|---|---|---|---|
| Category:SAST | Epic / Strategy | maturitycomplete | ~P1 |
| Category:Secret Detection | Epic / Strategy | maturityviable | ~P2 |
| Category:Code Quality | Epic TBD / Strategy | maturityminimal | ~P3 |
On this page:
Themes
♻ Complete analyzer consolidation
Engineering team: @zrice, @rossfuhrman, @vbhat161
It's time! Let's complete our %15.0 deprecations/removals/breaking changes. See 15.0 Deprecations and Removals Work - Static An... (&7201 - closed) for details.
To see what has been announced publicly about analyzer changes, see the deprecation announcement SAST analyzer consolidation and CI/CD template changes and our deprecation announcement issues.
Specific issues:
- Complete Enable new analyzers to take over reporting for... (&6440 - closed) to be able to take over ESLint, Gosec, and Bandit findings and remove those analyzers by default in %15.0, while paving the way to deprecate and remove the rest of the rules as well.
- Complete migration of Java workload to Semgrep if not complete: Migrate Java SAST coverage from SpotBugs to Sem... (#352666 - closed) (without fully removing the SpotBugs analyzer, which will continue to serve other JVM languages)
- Note that in 15.0 we'll remove SpotBugs by default for Java
- Announced deprecations
💻 Pick up Code Quality
Engineering team: @rossfuhrman, @jannik_lehmann
- Continue/complete [MR Widget Eng] Code quality (&7701 - closed)
- Diagnose performance issues that blocked rollout of support for multiple reports in inline diffs: #358759 (closed)
- Begin adapting inline diff feature toward new design (#359847 (closed))
🆕 Revive VET transition
Engineering team: @zrice, @vbhat161
- Work on Go language frontend (https://gitlab.com/gitlab-org/gitlab/-/issues/356378)
- Familiarize ourselves with latest updates
🔎 Customer issues
Let's try to get a handle on issues, whether or not we can resolve all of them. It's important to demonstrate that we hear our users and internal stakeholders!
- P1/S1 issue in kics: kics IaC scanner fails to run: open /tmp/kics.s... (#351711 - closed)
- Dogfooding issue with secret detection: Secret Detection fails to detect secret in merg... (#356093 - closed)
- Apparent regression in custom-CA support for SD: secret_detection fails in merge request with SS... (#349299 - closed)
Bugs over SLO and need resolution (either "already fixed", "we'll work on it in 15.0", "we will file a docs issue/MR to say how to fix this", or something else):
- Maven multimodule bug needs to be closed (answer could be that Semgrep fixes this for Java): sast spotbugs failed on maven multimodules proj... (#334854 - closed)
- Secret Detection issue: Secret Detection full history scan silently fai... (#328843 - closed)
- CA certs issue: Analyzers bug with Custom CA on OpenShift inval... (#350625 - closed)
- Secrets detection fails when default branch has... (#352014 - closed)
🆕 Monthly Analyzer Updates
We have over a dozen analyzers that need to be maintained, these analyzers are checked and updated every month.
- General Updates
- Engineering team: @gitlab-org/secure/static-analysis
Issue: https://gitlab.com/gitlab-org/security-products/release/-/issues/121
📖 Odds and ends
- Use snowplow to collect CI Build exit codes (#330551)
- Security Configuration: Move features available... (#357330)
🚒 Engineering Allocation 10% floor - empower every SWEs from raising reliability and security issues
🔮 What's next, if you have time
We'll be investing in:
- taking ownership of Code Quality
- possibly coming up with a solution to "bridge" scanning to a new design by resolving short-term issues faster. do we fork?
- investing in VET
- improving the IaC experience
Any work getting ready for those will be useful!
📚 Documentation priorities
Technical Writing stable counterpart: @rdickenson
New content
Pending
Maintenance
-
Documentation changes required by Enable new analyzers to take over reporting for... (&6440 - closed), including:
-
Work carried over from %14.10
Anticipated release posts
- Removal announcements will need to be updated
- We can highlight the improvements as a release post as well (faster scanning, no Java builds, etc.)
🔬 Quality priorities
Quality stable counterpart: @cahamed
TODO
⏩ Planning priorities
Product Manager: @connorgilbert
- Complete updates to direction pages
- Begin UX research/design and feature scoping for next iteration of Code Quality
- UXR issue: ux-research#1886 (closed)
- Create a plan for delivering VET in detection mode (including tiering, rollout customer experience, etc.)
UX Designer: @mfangman
- See Secure & Protect Team Planning Issue for 15.0 🎉 (#356294 - closed)
- We'll have a UX Roadmap workshop during this milestone as well: https://gitlab.com/gitlab-org/gitlab/-/issues/356902+
- The goal is to produce a UX roadmap—"a strategic, living artifact that aligns, prioritizes, and communicates a Product Design team’s future work and problems to solve."
Outcomes
Release Post Candidates
Release post MRs for this milestone
Feedback
- 15.0 retrospective issue link: https://gitlab.com/gl-retrospectives/secure-sub-dept/static-analysis/-/issues/17 (private link)
Helpful Links 🔗
- How we work
- Slack channel: #g_secure-static-analysis
- Static Analysis Group UX issues
- Issue boards - overview of all workflow stages
- Delivery Workflow Board - focused on development
- Planning Board - focused on pre-development
- Static Analysis Metrics
- SAST Analyzer job performance metrics