15.2 Planning - Static Analysis

🔒 Secure, Static Analysis - Milestone Planning

devopssecure groupstatic analysis

See It all starts with planning for details of how the Static Analysis group interacts in this issue.

Category	Direction	Maturity
Category:SAST	Epic / Strategy	maturitycomplete
Category:Secret Detection	Epic / Strategy	maturityviable
Category:Code Quality	Epic TBD / Strategy	maturityminimal

In this issue:

• Themes
• Documentation priorities
• Quality priorities
• Planning priorities
• Outcomes

Themes

Engineering team: @gitlab-org/secure/static-analysis

VET is removed as a priority from this milestone due to the buildup of customer issues.

🔎 Customer issues

We have a large number of bugs and issues at or near SLO (see dashboard link). Even those not at SLO directly affect the experience for our existing and potential customers.

• Epic Improve Sec analyzer supportability (&8030) includes changes that would help both kics and all other analyzers.
• Update Secret Detection .gitleaks.toml to inclu... (#362816 - closed) to assist with customer reports of long job runtimes
• Remove low-efficacy or low-value rules from SAS... (&8170 - closed) to improve default and ongoing experience for users by removing high-false-positive-rate rules
• ADDITIONAL_CA_CERT_BUNDLE doesn't work for some... (#327438 - closed) if unresolved
• Provide means of bypassing plugin detection in ... (#351590 - closed)
• Bump kubesec's packaged helm version to latest (#353486 - closed)
• Disable secret detection in KICS SAST IAC scanner (#346181 - closed) to improve kics runtime
• Use snowplow to collect CI Build exit codes (#330551) to gain better insight on analyzer success and failure
• kics issues are gathered in epic IaC Scanning (kics) bugs to investigate (&8126 - closed).
• Spotbugs Ant support has apparently not worked for quite a while: Spotbugs-sast detects 0 vulnerabilities on proj... (#350801 - closed)
• Further issues should be selected from the lists below, roughly in this order:
  1. All bugs beyond SLO
  2. All open bugs at S1, S2, S3
  3. All open non-bugs with ~customer tag

When selecting issues:

• Category:SAST and Category:Secret Detection are by default in-scope.
  • Invasive changes to deprecated analyzers may not present an appropriate cost/benefit.
• Category:Code Quality changes should be evaluated carefully to ensure that we aren't making throwaway changes to the scanning engine. Reporting and other areas are likely in-scope.
• If you have doubts, please ask.

💻 Improve Code Quality

1. Diagnose performance issues that blocked rollout of support for multiple reports in inline diffs and pipeline reports (#358759 (closed)) (backend to start)
2. Continue/complete [MR Widget Eng] Code quality (&7701 - closed) (backend)
3. Continue adapting inline diff feature toward new design (&8071 (closed)) (frontend)
4. Investigate options for resolving key issues with scanning in the interim while we research and develop a longer-term solution.

🆕 Monthly Analyzer Updates

We have over a dozen analyzers that need to be maintained, these analyzers are checked and updated every month.

• General Updates
• Engineering team: @gitlab-org/secure/static-analysis

Issue: TODO @twoodham (to be created during Week 1 of the release month)

🚒 Engineering Allocation 10% floor - empower every SWEs from raising reliability and security issues

#352050 (comment 832630296)

🔮 What's next, if you have time

• VET Go support is not a major theme for 15.2 (see #364845 (comment 989588142)), but will be again soon: https://gitlab.com/gitlab-org/gitlab/-/issues/356378
• Inline diffs are a major UX improvement that will further strengthen usability and Ultimate value proposition: Design │ MVC │ Inline findings in the MR (#322689 - closed)
• Additional Semgrep transitions will help us reduce the set of analyzers we have to maintain, while resolving a number of customer bugs and support issues: Semgrep-based analysis in GitLab SAST (&5245 - closed)
• Code Quality scanning is a growing issue. We may complete some spikes on "bridges" that would help us improve the experience before we can fully replace CodeClimate. Stay tuned and reach out if you're looking for work.
• Use snowplow to collect CI Build exit codes (#330551) would help us be more proactive about the quality of our customer experience.

📚 Documentation priorities

Technical Writing stable counterpart: @rdickenson

New content

Pending

Issue	Weight	TW Weight	Priority
GitLab Semgrep-based analyzer documentation is ... (#346839 - closed)	-	tw-weight5?	Low

Maintenance

Issue	Weight	TW Weight	Priority
Docs: Clarify that SAST converts native severit... (#350407 - closed)	-	tw-weight8	Low

Anticipated release posts

Pending @connorgilbert

🔬 Quality priorities

Quality stable counterpart: @cahamed

TODO

⏩ Planning priorities

Product Manager: @connorgilbert

• Participate in UX research/design and feature scoping for next iteration of Code Quality
• Various FedRAMP-related responsibilities outside of groupstatic analysis
• Rework planning-issue process
• Refine UX roadmap (&8141)
• Review options for improving Free/Premium user experience (&4394)
• Create a plan for delivering VET in detection mode (including tiering, rollout customer experience, etc.)

UX Designer: @mfangman

• See Secure & Protect Team Planning Issue for 15.1 (#359817 - closed)
• Refine UX Roadmap (&8141)

Outcomes

Release Post Candidates

Release post MRs for this milestone

Feedback

• 15.2 retrospective issue link: https://gitlab.com/gl-retrospectives/secure-sub-dept/static-analysis/-/issues/19

Helpful Links 🔗

• How we work
• Slack channel: #g_secure-static-analysis
• Static Analysis Group UX issues
• Issue boards - overview of all workflow stages
  • Delivery Workflow Board - focused on development
  • Planning Board - focused on pre-development
• Static Analysis Metrics
  • Official Secure & Defend Performance Indicators
  • Unofficial Static Analysis Usage Dashboard
• SAST Analyzer job performance metrics