15.5 Planning - Static Analysis
🔒 Secure, Static Analysis - Milestone Planning
This is a planning issue for devopssecure groupstatic analysis, which maintains Category:SAST, Category:Secret Detection, and Category:Code Quality.
See the group handbook page for more about this issue and how it fits into group workflows.
In this issue:
Note
This month, @amarpatel and @connorgilbert decided to experiment with the format of the planning issue, taking into account input from various group members. Themes seemed to:
- make it difficult to identify individual high-priority work items.
- lead to a sense of "working on everything all the time".
- obscure the specific issues that needed attention.
- imply that preparatory work, such as refinement and design, had to be done "in the background" instead of being a full-fledged priority for the group.
Feedback is very welcome.
Narrative
We have seen substantial gains in performance and customizability through conversions to Semgrep-based scanning. We'll continue investing in this area to improve the user experience of enabling, customizing, and maintaining SAST coverage.
Secret Detection has risen in importance to the company, including as part of the Token Management Working Group and continues to experience substantial growth in monthly usage. We have the opportunity to lean in to resolve common confusions and push the feature category forward. Doing so will help us better protect GitLab the project, GitLab the company, and users.
For Code Quality, we are about to embark on a new direction for scanning, so we should wrap up loose ends and get ready for that.
Priorities
Key items to deliver
This section lists items that should be ready to deliver (or at least to move forward). Many of these items should be defined as ~Deliverable items, assuming they are feasible to deliver in the milestone.
Status of this list: draft, pending input from group members. Does not yet include typebug or typemaintenance.
Item | Why? |
---|---|
Migrate Scala SAST coverage from SpotBugs to Se... (#362958 - closed) | This further reduces our dependency on SpotBugs and is requested by a key GitLab Ultimate Sec user. We also have done some of the legwork before as part of adding Java support. |
Complete existing VET language support issue (https://gitlab.com/gitlab-org/gitlab/-/issues/356378 - confidential issue). Reflect on any lessons learned to better prepare for the next language. | Continues work that is near completion. Allows us to explore next steps after completing this language support effort. |
Investigation: Code Quality performance with mu... (#358759 - closed) | Continues work in progress. Informs possible changes now or longer-term. |
Close out backend issues for Code Quality widget refactor &7701 (closed) | Allows us to remove a feature flag. Has been pending for a long time. |
Continue frontend efforts to refine Code Quality inline findings (&8071 (closed)) | Prepares us to use the same UI for SAST findings. Also improves CQ experience for existing users. |
Remove End-of-Support analyzers from SAST confi... (#373116 - closed) | Clean up from %15.4, reduce confusion. |
Notify GitLab user when PAT is auto-revoked (#371911 - closed) to deliver Automatically revoke GitLab.com PATs discovered... (#371658 - closed) | We are very close to being able to automatically revoke GitLab.com tokens. We should push this over the line to better protect users and the platform. |
Update converted SAST analyzers with new rules ... (#373117 - closed) | We have converted a number of analyzers and will have removed the deprecated analyzers by default. We should take another pass to be sure coverage has remained up to date. Could be in collaboration with groupvulnerability research. |
Analyzer updates
We update analyzers every month. See https://gitlab.com/gitlab-org/security-products/release/-/issues/128 (team members only).
Looking forward
This section lists items that are in earlier stages of planning. Refining them is an important part of this milestone because it sets us up to work on them in the following milestones.
-
Development: Define a plan for supporting MR pipeline scanning in Secret Detection: #372262 (closed).
- The ideal outcome is a plan that we can schedule into a future milestone.
-
Development/Product/UX: Defining a future architectural direction for Secret Detection that better protects users. | @theoretick
- Goals are identified in &8667
- The ideal outcome is a clearer definition of our direction from a Product, UX, and Development perspective.
- To achieve this, we will likely need to have a few rounds of collaboration during the milestone.
- @theoretick opened Technical Discovery issue: Technical discovery: Secret Detection as a plat... (#376716 - closed)
-
Development/Product/UX: (Stretch goal) Shaping the next iteration of Code Quality scan ingestion.
- The first step is for @connorgilbert to summarize the UX Research and outline the key needs going forward in a new issue (to be filed).
- Here is the epic: &8790
- Following that, we should be able to at least identify some key architectural questions and an individual or group that will engage with them going forward.
- The first step is for @connorgilbert to summarize the UX Research and outline the key needs going forward in a new issue (to be filed).
- Product/UX: Defining inline-diff-view changes.
- Product/UX: Defining SAST profile ideas further.
Product and UX
This section includes other Product and UX context that may not fit into the Looking forward section above.
Product manager: @connorgilbert
- Coordinate FedRAMP application changes, infrastructure analysis, product definition, and delivery. This will occupy a significant portion of my time.
UX Designer: @mfangman
- See planning issue (link: TODO)
- Work on priorities from UX Roadmap (&8141)
Documentation
This section includes group inputs and the plan for Technical Writing in the milestone.
Technical Writing stable counterpart: @rdickenson
Input on group priorities
From a groupstatic analysis perspective, the following are key priorities:
- Improving the documentation of the Semgrep-based analyzer: #346839 (closed). Semgrep is being used more and more, so we are facing more questions.
- Clarifying existing Secret Detection coverage: #358755 (closed). We regularly receive support requests and field questions about this behavior.
- Clarifying that you can customize metadatda for built-in kics rules.
Anticipated release posts and documentation include:
- Any completed Semgrep conversions
- Monthly analyzer updates
- GitLab token revocation
Planned new content
Pending
Planned maintenance
Pending
Quality
This section includes group inputs and the plan for Quality in the milestone.
Quality stable counterpart: @cahamed
Pending