Recommend to users who customize Secure features that these should be tested

Problem to solve

Many of the Secure stage's features can be customized to suit users' specific requirements. This includes customized vulnerability detection rules. When this works as intended, there is no issue. However, if the results are not what was expected, the result can be many unwanted vulnerabilities. Undoing these unintended changes is difficult and time consuming.

Further details

N/A

Proposal

Wherever Secure's features can be customized, resulting in unintended consequences, add a form of the following warning:

WARNING: All customization of vulnerability rules should be test in a non-production environment before merging these changes to the default branch. Failure to do so can result in a large number of false positives.

Who can address the issue

Anyone

Other links/references

This issue is the result of discussion in Slack about the risks of not testing customizations, and the resulting burden on users.

Edited by Russell Dickenson