15.4 Planning - Static Analysis
🔒 Secure, Static Analysis - Milestone Planning
devopssecure groupstatic analysis
See It all starts with planning for details of how the Static Analysis group interacts in this issue.
| Category | Direction | Maturity |
|---|---|---|
| Category:SAST | Epic / Direction | maturitycomplete |
| Category:Secret Detection | Epic / Direction | maturityviable |
| Category:Code Quality | Epic TBD / Direction | maturityminimal |
In this issue:
Narrative
In 15.3, we returned to a balanced focus on:
- Resolving strategic customer issues by investing in net-new feature work rather than specific bug fixes.
- Managing or mitigating other customer issues in an efficient, iterative manner.
- Investing in UI/UX.
We will continue this in 15.4, with largely the same set of themes.
Notably, in this release we will finalize a significant change that has been literally years in the making—the removal of several analyzers from our default CI/CD template!
It's important to remember that we can only invest in net-new work if we meet our baseline obligations, including SLOs and error budgets. Hence, while each maintenance or bug item may not individually have as high priority as our strategic efforts to move the ball forward, we have to keep those under control.
Themes
Engineering team: @gitlab-org/secure/static-analysis
Theme: Strategic analyzer improvements
Why: Improve user experience, reduce support issues, allow for future evolution via customizable rules, and reduce maintenance overhead.
- Continue Semgrep conversions (&5245 (closed)). See language priorities. For this milestone, we should target:
- C# (#347258 (closed))
- Scala (#362958 (closed))
- VET language support (https://gitlab.com/gitlab-org/gitlab/-/issues/356378 - team members only). With our progress so far, we should assess how it is gone so that we can estimate the effort required for further language efforts.
- Complete CI/CD template and documentation changes in stable template. (See iterative description in SAST Deprecation: Analyzer consolidation and CI... (#352554 - closed).)
Theme: Code Quality ownership
Why: We are about to embark on a scanning replacement. Understanding the current system can both improve internal and external user experience, and give us knowledge to inform our next iteration.
- Diagnose performance issues that blocked rollout of support for multiple reports in inline diffs and pipeline reports (#358759 (closed)) (backend to start)
- Revisit based on findings before %15.4 kickoff
- Investigate system design for the future. Requirements coming after @connorgilbert returns from PTO.
- Investigate quick wins for resolving issues with scanning in the interim while we research and develop a longer-term solution.
- See &8161 (closed) for identified problems.
- Spike on mirroring images to our repository? #343367 (closed), cf. https://gitlab.com/gitlab-com/legal-and-compliance/-/issues/905#note_991504353
Theme: UI/UX investment
Why: The easier it is to use our features, the more we expect they will be used. Competitive pressure also means that we need to continue reinforcing our One DevOps Platform value.
Our UI/UX surface is limited. The main focus for UI/UX advancement is enabling SAST findings in inline diffs, beginning with adapting and owning the implementation of Code Quality inline findings. We also need to align with overall MR widget restructuring efforts.
- Continue/complete [MR Widget Eng] Code quality (&7701 - closed) (backend)
- Continue adapting inline diff feature toward new design (&8071 (closed)) (frontend)
Theme: Customer issues
Why: Even bugs or issues below SLO directly affect the experience our existing and potential customers.
See bug issues tagged in the current milestone. Issues will be added based on sev/pri/SLO and input from cross-functional team members.
🆕 Monthly Analyzer Updates
Why: We have documented commitments to make updates on a predictable cadence. We also pick up new detection rules, bug fixes, and security updates during this process.
We have over a dozen analyzers that need to be maintained, these analyzers are checked and updated every month.
- General Updates
- Engineering team: @gitlab-org/secure/static-analysis
Issue: TODO @amarpatel (to be created during Week 1 of the release month)
Theme: Maintenance
Why: We need to make sure we invest in the ongoing stability and reliability of our product areas.
See issues tagged in the current milestone.
📚 Documentation priorities
Technical Writing stable counterpart: @rdickenson
New content
- Docs work for SAST Deprecation: Analyzer consolidation and CI... (#352554 - closed)
- Docs work for GitLab Semgrep-based analyzer documentation is ... (#346839 - closed) (together with work on the above issue)
Maintenance
Pending
Anticipated release posts
- Analyzer consolidation
- Any completed Semgrep conversions
- Monthly analyzer updates
- Support for multiple Code Quality reports, if completed/activated
🔬 Quality priorities
Quality stable counterpart: @cahamed
TODO
⏩ Planning priorities
Product Manager: @connorgilbert
- Analyze findings to inform direction for next iteration of Code Quality scanning.
- Get the new U.S. Public Sector Services group of the ground and otherwise contribute to FedRAMP scoping and delivery. This will occupy a significant portion of my time.
UX Designer: @mfangman
- See Secure & Protect Team Planning Issue for 15.3 (#365860 - closed)
- Work on priorities from UX Roadmap (&8141)
Outcomes
Release Post Candidates
Release post MRs for this milestone
Feedback
- 15.4 retrospective issue link: https://gitlab.com/gl-retrospectives/secure-sub-dept/static-analysis/-/issues/21
Helpful Links 🔗
- How we work
- Slack channel: #g_secure-static-analysis
- Static Analysis Group UX issues
- Issue boards - overview of all workflow stages
- Delivery Workflow Board - focused on development
- Planning Board - focused on pre-development
- Static Analysis Metrics
- Performance Indicators (team members only)
- Unofficial Static Analysis Usage Dashboard (team members only)
- SAST Analyzer job performance metrics (team members only)