15.1 Planning - Static Analysis
🔒 Secure, Static Analysis - Milestone Planning
devopssecure groupstatic analysis
See It all starts with planning for details of how the Static Analysis group interacts in this issue.
| Category | Direction | Maturity |
|---|---|---|
| Category:SAST | Epic / Strategy | maturitycomplete |
| Category:Secret Detection | Epic / Strategy | maturityviable |
| Category:Code Quality | Epic TBD / Strategy | maturityminimal |
In this issue:
Themes
Engineering team: @gitlab-org/secure/static-analysis
Themes have largely rolled over from %15.0 (#358081 (closed)), but some new items are included.
💻 Improve Code Quality
Engineering team: @rossfuhrman, @jannik_lehmann
- Continue/complete [MR Widget Eng] Code quality (&7701 - closed) (backend)
- Diagnose performance issues that blocked rollout of support for multiple reports in inline diffs and pipeline reports (#358759 (closed)) (backend to start)
- Begin adapting inline diff feature toward new design (#359847 (closed)) (frontend)
🆕 Revive VET transition
Engineering team: @zrice, @vbhat161
- Work on Go language frontend (https://gitlab.com/gitlab-org/gitlab/-/issues/356378)
- Familiarize ourselves with latest updates
- Should time allow, begin on JavaScript
🐛 Get a handle on kics
Engineering team: @GuillermoDLSG
We introduced IaC scanning in release %14.5 and it has seen significant adoption since then. However, certain patterns of issues have appeared. Let's get a handle on this so that we can deliver a reliable, valuable experience for customers.
- Epic Improve Sec analyzer supportability (&8030) includes changes that would help both kics and all other analyzers.
- kics issues are gathered in epic IaC Scanning (kics) bugs to investigate (&8126 - closed)
🔎 Customer issues
Let's try to get a handle on issues, whether or not we can resolve all of them. It's important to demonstrate that we hear our users and internal stakeholders!
- ADDITIONAL_CA_CERT_BUNDLE doesn't work for some... (#327438 - closed) if unresolved
- Provide means of bypassing plugin detection in ... (#351590 - closed)
Final issue list TODO @connorgilbert
🆕 Monthly Analyzer Updates
We have over a dozen analyzers that need to be maintained, these analyzers are checked and updated every month.
- General Updates
- Engineering team: @gitlab-org/secure/static-analysis
Issue: https://gitlab.com/gitlab-org/security-products/release/-/issues/122 (created during Week 1 of the release month)
🚒 Engineering Allocation 10% floor - empower every SWEs from raising reliability and security issues
🔮 What's next, if you have time
- Inline diffs are a major UX improvement that will further strengthen usability and Ultimate value proposition: Design │ MVC │ Inline findings in the MR (#322689 - closed)
- Additional Semgrep transitions will help us reduce the set of analyzers we have to maintain, while resolving a number of customer bugs and support issues: Semgrep-based analysis in GitLab SAST (&5245 - closed)
- Code Quality scanning is a growing issue. We may complete some spikes on "bridges" that would help us improve the experience before we can fully replace CodeClimate. Stay tuned and reach out if you're looking for work.
- Use snowplow to collect CI Build exit codes (#330551) would help us be more proactive about the quality of our customer experience.
📚 Documentation priorities
Technical Writing stable counterpart: @rdickenson
New content
Pending
| Issue | Weight | TW Weight | Priority |
|---|---|---|---|
| GitLab Semgrep-based analyzer documentation is ... (#346839 - closed) | - | tw-weight5? | Low |
| Recommend to users who customize Secure feature... (#361391 - closed) | - | tw-weight5 | Medium |
Maintenance
| Issue | Weight | TW Weight | Priority |
|---|---|---|---|
| Docs: Clarify that SAST converts native severit... (#350407 - closed) | - | tw-weight8 | Low |
Anticipated release posts
- If we resolve Investigation: Code Quality performance with mu... (#358759 - closed) it will be worth a post.
- Monthly analyzer updates, as usual
🔬 Quality priorities
Quality stable counterpart: @cahamed
TODO
⏩ Planning priorities
Product Manager: @connorgilbert
- Participate in UX research/design and feature scoping for next iteration of Code Quality
- Create a plan for delivering VET in detection mode (including tiering, rollout customer experience, etc.)
- Refine UX roadmap (&8141)
UX Designer: @mfangman
- See Secure & Protect Team Planning Issue for 15.1 (#359817 - closed)
- Refine UX Roadmap (&8141)
Outcomes
Release Post Candidates
Release post MRs for this milestone
Feedback
- 15.1 retrospective issue link: https://gitlab.com/gl-retrospectives/secure-sub-dept/static-analysis/-/issues/18
Helpful Links 🔗
- How we work
- Slack channel: #g_secure-static-analysis
- Static Analysis Group UX issues
- Issue boards - overview of all workflow stages
- Delivery Workflow Board - focused on development
- Planning Board - focused on pre-development
- Static Analysis Metrics
- SAST Analyzer job performance metrics