15.2 Planning - Static Analysis
🔒 Secure, Static Analysis - Milestone Planning
devopssecure groupstatic analysis
See It all starts with planning for details of how the Static Analysis group interacts in this issue.
Category | Direction | Maturity |
---|---|---|
Category:SAST | Epic / Strategy | maturitycomplete |
Category:Secret Detection | Epic / Strategy | maturityviable |
Category:Code Quality | Epic TBD / Strategy | maturityminimal |
In this issue:
Themes
Engineering team: @gitlab-org/secure/static-analysis
VET is removed as a priority from this milestone due to the buildup of customer issues.
🔎 Customer issues
We have a large number of bugs and issues at or near SLO (see dashboard link). Even those not at SLO directly affect the experience for our existing and potential customers.
- Epic Improve Sec analyzer supportability (&8030 - closed) includes changes that would help both kics and all other analyzers.
- Update Secret Detection .gitleaks.toml to inclu... (#362816 - closed) to assist with customer reports of long job runtimes
- Remove low-efficacy or low-value rules from SAS... (&8170 - closed) to improve default and ongoing experience for users by removing high-false-positive-rate rules
- ADDITIONAL_CA_CERT_BUNDLE doesn't work for some... (#327438 - closed) if unresolved
- Provide means of bypassing plugin detection in ... (#351590 - closed)
- Bump kubesec's packaged helm version to latest (#353486 - closed)
- Disable secret detection in KICS SAST IAC scanner (#346181 - closed) to improve kics runtime
- Use snowplow to collect CI Build exit codes (#330551) to gain better insight on analyzer success and failure
- kics issues are gathered in epic IaC Scanning (kics) bugs to investigate (&8126 - closed).
- Spotbugs Ant support has apparently not worked for quite a while: Spotbugs-sast detects 0 vulnerabilities on proj... (#350801 - closed)
- Further issues should be selected from the lists below, roughly in this order:
- All bugs beyond SLO
- All open bugs at S1, S2, S3
- All open non-bugs with ~customer tag
When selecting issues:
-
Category:SAST and Category:Secret Detection are by default in-scope.
- Invasive changes to deprecated analyzers may not present an appropriate cost/benefit.
- Category:Code Quality changes should be evaluated carefully to ensure that we aren't making throwaway changes to the scanning engine. Reporting and other areas are likely in-scope.
- If you have doubts, please ask.
💻 Improve Code Quality
- Diagnose performance issues that blocked rollout of support for multiple reports in inline diffs and pipeline reports (#358759 (closed)) (backend to start)
- Continue/complete [MR Widget Eng] Code quality (&7701 - closed) (backend)
- Continue adapting inline diff feature toward new design (&8071 (closed)) (frontend)
- Investigate options for resolving key issues with scanning in the interim while we research and develop a longer-term solution.
🆕 Monthly Analyzer Updates
We have over a dozen analyzers that need to be maintained, these analyzers are checked and updated every month.
- General Updates
- Engineering team: @gitlab-org/secure/static-analysis
Issue: TODO @twoodham (to be created during Week 1 of the release month)
🚒 Engineering Allocation 10% floor - empower every SWEs from raising reliability and security issues
🔮 What's next, if you have time
- VET Go support is not a major theme for 15.2 (see #364845 (comment 989588142)), but will be again soon: https://gitlab.com/gitlab-org/gitlab/-/issues/356378
- Inline diffs are a major UX improvement that will further strengthen usability and Ultimate value proposition: Design │ MVC │ Inline findings in the MR (#322689 - closed)
- Additional Semgrep transitions will help us reduce the set of analyzers we have to maintain, while resolving a number of customer bugs and support issues: Semgrep-based analysis in GitLab SAST (&5245 - closed)
- Code Quality scanning is a growing issue. We may complete some spikes on "bridges" that would help us improve the experience before we can fully replace CodeClimate. Stay tuned and reach out if you're looking for work.
- Use snowplow to collect CI Build exit codes (#330551) would help us be more proactive about the quality of our customer experience.
📚 Documentation priorities
Technical Writing stable counterpart: @rdickenson
New content
Pending
Issue | Weight | TW Weight | Priority |
---|---|---|---|
GitLab Semgrep-based analyzer documentation is ... (#346839 - closed) | - | tw-weight5? | Low |
Maintenance
Issue | Weight | TW Weight | Priority |
---|---|---|---|
Docs: Clarify that SAST converts native severit... (#350407) | - | tw-weight8 | Low |
Anticipated release posts
Pending @connorgilbert
🔬 Quality priorities
Quality stable counterpart: @cahamed
TODO
⏩ Planning priorities
Product Manager: @connorgilbert
- Participate in UX research/design and feature scoping for next iteration of Code Quality
- Various FedRAMP-related responsibilities outside of groupstatic analysis
- Rework planning-issue process
- Refine UX roadmap (&8141)
- Review options for improving Free/Premium user experience (&4394)
- Create a plan for delivering VET in detection mode (including tiering, rollout customer experience, etc.)
UX Designer: @mfangman
- See Secure & Protect Team Planning Issue for 15.1 (#359817 - closed)
- Refine UX Roadmap (&8141)
Outcomes
Release Post Candidates
Release post MRs for this milestone
Feedback
- 15.2 retrospective issue link: https://gitlab.com/gl-retrospectives/secure-sub-dept/static-analysis/-/issues/19
🔗
Helpful Links - How we work
- Slack channel: #g_secure-static-analysis
- Static Analysis Group UX issues
- Issue boards - overview of all workflow stages
- Delivery Workflow Board - focused on development
- Planning Board - focused on pre-development
- Static Analysis Metrics
- SAST Analyzer job performance metrics