15.3 Planning - Static Analysis
🔒 Secure, Static Analysis - Milestone Planning
devopssecure groupstatic analysis
See It all starts with planning for details of how the Static Analysis group interacts in this issue.
Category | Direction | Maturity |
---|---|---|
Category:SAST | Epic / Direction | maturitycomplete |
Category:Secret Detection | Epic / Direction | maturityviable |
Category:Code Quality | Epic TBD / Direction | maturityminimal |
In this issue:
Narrative
In 15.2, we had a single-minded focus on burning down customer issues and re-asserting control over a growing bug backlog. (See 15.2 Planning - Static Analysis (#364845 - closed).)
In 15.3, our investment mix will change. We'll return to a more balanced focus on:
- Resolving strategic customer issues by investing in proactive feature work rather than specific, reactive bug fixes.
- Managing or mitigating other customer issues in an efficient, iterative manner.
- Investing in UI/UX.
It's important to remember that we can only invest in this type of net-new work if we meet our baseline obligations, including SLOs and error budgets. Hence, while each maintenance or bug item may not individually have as high priority as our strategic efforts to move the ball forward, we have to keep those under control.
Themes
Engineering team: @gitlab-org/secure/static-analysis
Theme: Strategic analyzer improvements
- Semgrep conversions (&5245 (closed)). See language priorities.
- VET language support (https://gitlab.com/gitlab-org/gitlab/-/issues/356378 - team members only)
- Complete feature flag rollout for analyzer takeover (#362179 (closed)) and complete CI/CD template and documentation changes. (See iterative description in SAST Deprecation: Analyzer consolidation and CI... (#352554 - closed).)
Theme: Code Quality ownership
- Diagnose performance issues that blocked rollout of support for multiple reports in inline diffs and pipeline reports (#358759 (closed)) (backend to start)
- Continue/complete [MR Widget Eng] Code quality (&7701 - closed) (backend)
- Continue adapting inline diff feature toward new design (&8071 (closed)) (frontend)
- Investigate options for resolving key issues with scanning in the interim while we research and develop a longer-term solution.
- See &8161 for identified problems.
- Spike on mirroring images to our repository? #343367, cf. https://gitlab.com/gitlab-com/legal-and-compliance/-/issues/905#note_991504353
Theme: UI/UX investment
Our UI/UX surface is limited. The main focus for UI/UX advancement is enabling SAST findings in inline diffs, beginning with adapting and owning the implementation of Code Quality inline findings (see section above).
Theme: Customer issues
We have a large number of bugs and customer issues in our backlog. Even those not at SLO directly affect the experience our existing and potential customers.
See bug issues tagged in the current milestone.
Theme: Monthly Analyzer Updates
We have over a dozen analyzers that need to be maintained, these analyzers are checked and updated every month.
- General Updates
- Engineering team: @gitlab-org/secure/static-analysis
Issue: https://gitlab.com/gitlab-org/security-products/release/-/issues/125+
Theme: Maintenance
See issues tagged in the current milestone.
📚 Documentation priorities
Technical Writing stable counterpart: @rdickenson
New content
Pending
Issue | Weight | TW Weight | Priority |
---|---|---|---|
GitLab Semgrep-based analyzer documentation is ... (#346839 - closed) | - | tw-weight5? | Medium |
Move custom rulesets docs to their own page | - | tw-weight8 | Low |
Maintenance
Issue | Weight | TW Weight | Priority |
---|---|---|---|
Docs: Clarify that SAST converts native severit... (#350407 - closed) | - | tw-weight8 | Low |
Anticipated release posts
- Any completed Semgrep conversions
- Monthly analyzer updates
- Support for multiple Code Quality reports, if completed/activated
🔬 Quality priorities
Quality stable counterpart: @cahamed
TODO
⏩ Planning priorities
Product Manager: @connorgilbert
- Participate in UX research/design and feature scoping for next iteration of Code Quality
- Various FedRAMP-related responsibilities outside of groupstatic analysis
- Rework planning-issue process
- Refine UX roadmap (&8141)
- Create a plan for delivering VET in detection mode (including tiering, rollout customer experience, etc.)
UX Designer: @mfangman
- See Secure & Protect Team Planning Issue for 15.3 (#365860 - closed)
- Work on priorities from UX Roadmap (&8141)
Outcomes
Release Post Candidates
Release post MRs for this milestone
Feedback
- 15.3 retrospective issue link: https://gitlab.com/gl-retrospectives/secure-sub-dept/static-analysis/-/issues/20
🔗
Helpful Links - How we work
- Slack channel: #g_secure-static-analysis
- Static Analysis Group UX issues
- Issue boards - overview of all workflow stages
- Delivery Workflow Board - focused on development
- Planning Board - focused on pre-development
- Static Analysis Metrics
- Performance Indicators (team members only)
- Unofficial Static Analysis Usage Dashboard (team members only)
- SAST Analyzer job performance metrics (team members only)