15.3 Planning - Static Analysis

🔒 Secure, Static Analysis - Milestone Planning

devopssecure groupstatic analysis

See It all starts with planning for details of how the Static Analysis group interacts in this issue.

Category Direction Maturity
Category:SAST Epic / Direction maturitycomplete
Category:Secret Detection Epic / Direction maturityviable
Category:Code Quality Epic TBD / Direction maturityminimal

In this issue:

Narrative

In 15.2, we had a single-minded focus on burning down customer issues and re-asserting control over a growing bug backlog. (See 15.2 Planning - Static Analysis (#364845 - closed).)

In 15.3, our investment mix will change. We'll return to a more balanced focus on:

  • Resolving strategic customer issues by investing in proactive feature work rather than specific, reactive bug fixes.
  • Managing or mitigating other customer issues in an efficient, iterative manner.
  • Investing in UI/UX.

It's important to remember that we can only invest in this type of net-new work if we meet our baseline obligations, including SLOs and error budgets. Hence, while each maintenance or bug item may not individually have as high priority as our strategic efforts to move the ball forward, we have to keep those under control.

Themes

Engineering team: @gitlab-org/secure/static-analysis

Theme: Strategic analyzer improvements

Theme: Code Quality ownership

  1. Diagnose performance issues that blocked rollout of support for multiple reports in inline diffs and pipeline reports (#358759 (closed)) (backend to start)
  2. Continue/complete [MR Widget Eng] Code quality (&7701 - closed) (backend)
  3. Continue adapting inline diff feature toward new design (&8071 (closed)) (frontend)
  4. Investigate options for resolving key issues with scanning in the interim while we research and develop a longer-term solution.
    1. See &8161 (closed) for identified problems.
    2. Spike on mirroring images to our repository? #343367 (closed), cf. https://gitlab.com/gitlab-com/legal-and-compliance/-/issues/905#note_991504353

Theme: UI/UX investment

Our UI/UX surface is limited. The main focus for UI/UX advancement is enabling SAST findings in inline diffs, beginning with adapting and owning the implementation of Code Quality inline findings (see section above).

Theme: Customer issues

We have a large number of bugs and customer issues in our backlog. Even those not at SLO directly affect the experience our existing and potential customers.

See bug issues tagged in the current milestone.

Theme: Monthly Analyzer Updates

We have over a dozen analyzers that need to be maintained, these analyzers are checked and updated every month.

Issue: https://gitlab.com/gitlab-org/security-products/release/-/issues/125+

Theme: Maintenance

See issues tagged in the current milestone.

📚 Documentation priorities

Technical Writing stable counterpart: @rdickenson

New content

Pending

Issue Weight TW Weight Priority
GitLab Semgrep-based analyzer documentation is ... (#346839 - closed) - tw-weight5? Medium
Move custom rulesets docs to their own page - tw-weight8 Low

Maintenance

Issue Weight TW Weight Priority
Docs: Clarify that SAST converts native severit... (#350407 - closed) - tw-weight8 Low

Anticipated release posts

  • Any completed Semgrep conversions
  • Monthly analyzer updates
  • Support for multiple Code Quality reports, if completed/activated

🔬 Quality priorities

Quality stable counterpart: @cahamed

TODO

Planning priorities

Product Manager: @connorgilbert

  • Participate in UX research/design and feature scoping for next iteration of Code Quality
  • Various FedRAMP-related responsibilities outside of groupstatic analysis
  • Rework planning-issue process
  • Refine UX roadmap (&8141)
  • Create a plan for delivering VET in detection mode (including tiering, rollout customer experience, etc.)

UX Designer: @mfangman

Outcomes

Release Post Candidates

Release post MRs for this milestone

Feedback

Helpful Links 🔗

Edited by Connor Gilbert