15.7 Planning — Static Analysis

🔒 Secure, Static Analysis - Milestone Planning

This is a planning issue for devopssecure groupstatic analysis, which maintains Category:SAST, Category:Secret Detection, and Category:Code Quality.

^{See the group handbook page for more about this issue and how it fits into group workflows.}

In this issue:

• Narrative
• Priorities
  • Key items to deliver
  • Looking forward
  • Documentation
  • Quality

Narrative

We've delivered great improvements in the past few milestones—from migrating to Semgrep-based scanning for popular languages to developing proprietary language scanning capabiltiies to solving long-standing issues with MR pipelines.

We have the opportunity to deliver on a number of strategic priorities if we're disciplined about iterating to improve user experience. This will require us to collaborate across the group, and with counterparts, to bite off feasible chunks from larger initiatives.

Note that we're also in a new quarter. Team members can view a relevant OKR; the final KR in Product OKR 2.1.3 is shared between Product and Development and reflects our ongoing efforts to improve the signal-to-noise ratio for our users.

Team members can also view a metrics update based on progress in the last month.

Priorities

Key items to deliver

This section lists items that should be ready to deliver (or at least to move forward). Many of these items should be defined as ~Deliverable items, assuming they are feasible to deliver in the milestone.

Status of this list: Draft pending input from @gitlab-org/secure/static-analysis. Needs typebug and typemaintenance input.

Item	Why?	Area
Migrate Scala SAST coverage from SpotBugs to Se... (#362958 - closed)	This further reduces our dependency on SpotBugs and is requested by a key GitLab Ultimate Sec user. We also have done some of the legwork before as part of adding Java support.	SAST
Add False Positive Reduction for Go (https://gitlab.com/gitlab-org/gitlab/-/issues/378622)	Completes production "plumbing" for new language support. Sets up for future FP reduction in Semgrep-based analyzer.	SAST
Continue frontend efforts to refine Code Quality inline findings (&8071 (closed))	Prepares us to use the same UI for SAST findings (#384989 (closed)). Also improves CQ experience for existing users.	Code Quality
Update converted SAST analyzers with new rules ... (#373117 - closed)	We have converted a number of analyzers and will have removed the deprecated analyzers by default. We should take another pass to be sure coverage has remained up to date.	SAST
Automatically resolve vulnerabilities when a SA... (#368284 - closed)	Needed to unblock false positive mitigations	SAST first, but also others
Disable noisy `detect-object-injection` rule by... (#373920 - closed)	Single noisiest rule, often causes problems in customer projects	SAST
Update gitlab-org/gitlab linter jobs to output to Code Quality (@connorgilbert to file issue)	Add additional dogfooding opportunities for report ingestion and UI views. Discover issues before customers do!	Code Quality
Update Secret Detection with patterns from partners	Ensure we are detecting the right things! Prepare for prtner integration.	Secret Detection
Enable Secret Detection MR pipelines (#372262 - closed)	Fix a common cause of customer issues and confusion	Secret Detection

Learn and react: engage with these initiatives, and respond within the milestone by filing issues or implementing if feasible:

• Dogfooding of PAT revocation #371658 (closed)
• Dogfooding Code Quality in Technical Writing linters #378718 (comment 1166553730)

Looking forward

This section lists items that are in earlier stages of planning. Refining them is an important part of this milestone because it sets us up to work on them in the following milestones. Primary areas of responsibility are listed, but everyone can contribute!

This is almost certainly more than we can take on. It's generally in priority order (most important at the top).

1. Development: Define implementation plan or any new system requirements to enable showing SAST findings in the diff view, as Code Quality findings are today. (Include SAST findings inline in the MR Changes ... (#384989 - closed))
2. Development/Product/UX: Solidify plan for "quick win" on enabling rule customization in Scan Execution Policies or Compliance Frameworks. (See meeting notes (team members only) and existing issue #257928 (closed)).
3. Development/Product/UX: Defining a future architectural direction for Secret Detection that better protects users.
   • Goals are identified in &8667.
   • Ideal outcome this milestone is an MVC definition that incorporates input from Development, Product, UX, and anyone else who wishes to contribute.
4. Development: Identify path forward on the following confidential Secret Detection partner: &8835 (@connorgilbert will upload additional info)
5. Product/UX: Respond to UX Benchmark issue by identifying small changes and larger re-evaluations for SAST configuration. (ux-research#2169 (closed); don't overrotate on specific tasks; see meeting notes (team members only))
6. Development/Product: Contribute to 16.0 deprecation goals. We have only a few more milestones before we must announce any deprecations. (#356609 (closed))
7. Development/Product: Understand our metrics. Produce a document outlining what we have today and our wish list if we could have any data we wanted to understand how our product is being used and experienced. (@connorgilbert to file issue; issue discussed here)
8. Product/UX: Defining SAST profile ideas further (&8332 (closed)).

The work that makes the work work

1. Process for rule coordination
2. Definition of how Static Analysis responds to inbound requests during the milestone

Product and UX

This section includes other Product and UX context that may not fit into the Looking forward section above.

Product manager: @connorgilbert

• Coordinate FedRAMP application changes, infrastructure analysis, product definition, and delivery. This will occupy a significant portion of my time.
• Move Code Quality forward
  • Write Code Quality MVC issue (referenced in deliverables above)
  • File Opportunity Canvas (Lite) to align with Product leadership
• Write SAST diff issue (referenced in deliverables above)
• Update direction pages to:
  • Remove metrics not actually used
  • Add FP Reduction to narrative
  • Specify focus on particular types of detection within Secret Detection
• Develop rollout plan for PAT revocation
  • File blog proposal
  • Contact field organizations
• Propose IaC Security as a standalone category

UX Designer: @mfangman

• See planning issue (link: TODO)
• Prepare SAST profiles and UX Roadmap for broader engagement in the group
• Work on priorities from UX Roadmap (&8141)

Documentation

This section includes group inputs and the plan for Technical Writing in the milestone.

Technical Writing stable counterpart: @rdickenson

Input on group priorities

From a ~"group::static analysis perspective", the following are key priorities:

1. Improving the documentation of the Semgrep-based analyzer: #346839 (closed). Semgrep is being used more and more, so we are facing more questions.
2. Clarifying existing Secret Detection coverage: #358755 (closed). We regularly receive support requests and field questions about this behavior.
3. Discussion/Meta: Identifying how to reduce duplication between similar feature areas. This would help us with maintenance effort, and help customers see the commonalities between feature categories. For example, we have very similar (almost identical) customization options, and similar ways of setting pinned analyzer versions. Could we refactor the common content out, and thereby slim down the feature-category-by-feature-category content to what's truly unique?

Anticipated release posts and documentation include:

• Any completed deliverable items from above
• Monthly analyzer updates
• Progress on GitLab.com PAT revocation

Planned new content

• None

Planned maintenance

• Edit Code Quality docs for compliance with CTRT... (!102837 - merged)

Quality

This section includes group inputs and the plan for Quality in the milestone.

Quality stable counterpart: @cahamed

Input on group priorities

Team members have been working to identify changes to our rule and analyzer testing. These efforts should inform our proactive Quality efforts this milestone.

Quality plan

Pending from @cahamed