15.6 Planning - Static Analysis
🔒 Secure, Static Analysis - Milestone Planning
This is a planning issue for devopssecure groupstatic analysis, which maintains Category:SAST, Category:Secret Detection, and Category:Code Quality.
See the group handbook page for more about this issue and how it fits into group workflows.
In this issue:
Note
Feedback on the issue format is very welcome. See the 15.5 issue for more context on recent changes.
Narrative
Pending @connorgilbert
Priorities
Key items to deliver
This section lists items that should be ready to deliver (or at least to move forward). Many of these items should be defined as ~Deliverable items, assuming they are feasible to deliver in the milestone.
Status of this list: Draft.
Input needed:
- Development: What is going to carry over?
- Development: What maintenance should we target?
- Development/Quality: What bugs are the most impactful?
- Product: Which typefeature work should join the mix?
Item | Why? |
---|---|
Migrate Scala SAST coverage from SpotBugs to Se... (#362958 - closed) | This further reduces our dependency on SpotBugs and is requested by a key GitLab Ultimate Sec user. We also have done some of the legwork before as part of adding Java support. |
Complete existing VET language support issue (https://gitlab.com/gitlab-org/gitlab/-/issues/356378 - confidential issue). Reflect on any lessons learned to better prepare for the next language. | Continues work that is near completion. Allows us to explore next steps after completing this language support effort. |
Investigation: Code Quality performance with mu... (#358759 - closed) | Continues work in progress. Informs possible changes now or longer-term. |
Close out backend issues for Code Quality widget refactor &7701 (closed) | Allows us to remove a feature flag. Has been pending for a long time. |
Continue frontend efforts to refine Code Quality inline findings (&8071 (closed)) | Prepares us to use the same UI for SAST findings. Also improves CQ experience for existing users. |
Remove End-of-Support analyzers from SAST confi... (#373116 - closed) | Clean up from %15.4, reduce confusion. |
Notify GitLab user when PAT is auto-revoked (#371911 - closed) to deliver Automatically revoke GitLab.com PATs discovered... (#371658 - closed) | We are very close to being able to automatically revoke GitLab.com tokens. We should push this over the line to better protect users and the platform. |
Update converted SAST analyzers with new rules ... (#373117 - closed) | We have converted a number of analyzers and will have removed the deprecated analyzers by default. We should take another pass to be sure coverage has remained up to date. |
Re-examine Bandit rules. Identify possible changes based on recent feedback. | We expect increased usage as analyzer consolidation rolls out to more users. We have received specific feedback on issues with the rules. |
Automatically resolve vulnerabilities when a SA... (#368284 - closed) | Enables very impactful changes to default rulesets. |
Looking forward
This section lists items that are in earlier stages of planning. Refining them is an important part of this milestone because it sets us up to work on them in the following milestones.
Status: Draft, pending results of 15.5.
- Development: Define a plan for supporting MR pipeline scanning in Secret Detection: #372262 (closed).
-
Development/Product/UX: Defining a future architectural direction for Secret Detection that better protects users.
- Goals are identified in &8667.
- The ideal outcome is a clearer definition of our direction from a Product, UX, and Development perspective.
- To achieve this, we will likely need to have a few rounds of collaboration during the milestone.
-
Development/Product/UX: Shaping the next iteration of Code Quality scan ingestion.
- Goal for this milestone is to make progress on technical direction and prepare for implementation
-
Development/Product/UX: Experiment running VET in Detection mode for Go projects
- To achieve this, we need to write stencils recipes equivalent to gosec/semgrep-go rules
- Product/UX: Defining inline-diff-view changes.
- Product/UX: Defining SAST profile ideas further.
Product and UX
This section includes other Product and UX context that may not fit into the Looking forward section above.
Product manager: @connorgilbert
- Coordinate FedRAMP application changes, infrastructure analysis, product definition, and delivery. This will occupy a significant portion of my time.
UX Designer: @mfangman
- See planning issue (link: TODO)
- Work on priorities from UX Roadmap (&8141)
Documentation
This section includes group inputs and the plan for Technical Writing in the milestone.
Technical Writing stable counterpart: @rdickenson
Input on group priorities
From a ~"group::static analysis perspective", the following are key priorities:
- Improving the documentation of the Semgrep-based analyzer: #346839 (closed). Semgrep is being used more and more, so we are facing more questions.
- Clarifying existing Secret Detection coverage: #358755 (closed). We regularly receive support requests and field questions about this behavior.
- Clarifying that you can customize metadatda for built-in kics rules.
Anticipated release posts and documentation include:
- Any completed Semgrep conversions
- Monthly analyzer updates
- GitLab token revocation
Planned new content
Pending
Planned maintenance
Pending
Quality
This section includes group inputs and the plan for Quality in the milestone.
Quality stable counterpart: @cahamed
Identify test gaps iteratively,
- E2E Browser tests in issue