15.8 Planning — Static Analysis
🔒 Secure, Static Analysis - Milestone Planning
This is a planning issue for devopssecure groupstatic analysis, which maintains Category:SAST, Category:Secret Detection, and Category:Code Quality.
See the group handbook page for more about this issue and how it fits into group workflows.
In this issue:
Narrative
We've delivered great improvements in the past few milestones—from migrating to Semgrep-based scanning for popular languages to developing proprietary language scanning capabilities to solving long-standing issues with MR pipelines.
This milestone, we have a few high-impact changes we are almost ready to deliver and some iterations that should significantly improve user experience.
Note that we're midway through Q4. Team members can view a relevant OKR; the final KR in Product OKR 2.1.3 is shared between Product and Development and reflects our ongoing efforts to improve the signal-to-noise ratio for our users. We've identified these as key items to improve customer outcomes, and we have committed to delivering them.
Team members can also check the metrics we use to assess Static Analysis. However, note that the December data will be analyzed toward the end of January; the last updates to that page were in November.
Priorities
Key items to deliver
This section lists items that should be ready to deliver (or at least to move forward). Many of these items should be defined as ~Deliverable items, assuming they are feasible to deliver in the milestone.
Status of this list: Draft pending input from group members. Needs typebug and typemaintenance input.
Item | Why? | Area |
---|---|---|
Fully ship Automatically revoke GitLab.com PATs discovered... (#371658 - closed) | Has been announced and previewed with customers | Secret Detection |
Automatically resolve vulnerabilities when a SA... (#368284 - closed) | Needed to unblock false positive mitigations | SAST first, but also others |
Disable noisy `detect-object-injection` rule by... (#373920 - closed) | Single noisiest rule, often causes problems in customer projects | SAST |
Fully ship https://gitlab.com/gitlab-org/gitlab/-/issues/378622+ | Completes production "plumbing" for new language support. Sets up for future FP reduction in Semgrep-based analyzer. | SAST |
Include SAST findings inline in the MR Changes ... (#384989 - closed) | Take advantages of recent great work in CQ. Improve developer experience with SAST. | SAST |
Dogfood bring-your-own Code Quality for gitlab-... (#385110) | Add additional dogfooding opportunities for report ingestion and UI views. Discover issues before customers do! | Code Quality |
Enable Secret Detection MR pipelines (#372262 - closed) | Fix a common cause of customer issues and confusion | Secret Detection |
Update converted SAST analyzers with new rules ... (#373117 - closed) | We have converted a number of analyzers and will have removed the deprecated analyzers by default. We should take another pass to be sure coverage has remained up to date. | SAST |
Update Secret Detection with patterns from partners | Ensure we are detecting the right things! Prepare for prtner integration. | Secret Detection |
Possible: MVC for group-level customization of rules | Common confusion | SAST, Secret Detection |
Possible: Revisit Advanced Vulnerability Tracking | Cause of recent issues | SAST |
Learn and react: engage with these initiatives, and respond within the milestone by filing issues or implementing if feasible:
- Dogfooding of PAT revocation #371658 (closed)
- Dogfooding Code Quality in Technical Writing linters #378718 (comment 1166553730)
Looking forward
This section lists items that are in earlier stages of planning. Refining them is an important part of this milestone because it sets us up to work on them in the following milestones. Primary areas of responsibility are listed, but everyone can contribute!
This is almost certainly more than we can take on. It's generally in priority order (most important at the top).
- Development/Product/UX: Solidify plan for "quick win" on enabling rule customization in Scan Execution Policies or Compliance Frameworks. (See meeting notes (team members only) and existing issue #257928 (closed)).
-
Development/Product/UX: Defining a future architectural direction for Secret Detection that better protects users.
- Goals are identified in &8667.
- Ideal outcome this milestone is an MVC definition that incorporates input from Development, Product, UX, and anyone else who wishes to contribute.
- Development: Identify path forward on the following confidential Secret Detection partner: &8835
- Development/Product: Contribute to 16.0 deprecation goals. We have only a few more milestones before we must announce any deprecations. (#356609 (closed))
- Product/UX: Respond to UX Benchmark issue by identifying small changes and larger re-evaluations for SAST configuration. (ux-research#2169 (closed); don't overrotate on specific tasks; see meeting notes (team members only))
- Product/UX: Defining SAST profile ideas further (&8332).
The work that makes the work work
- Process for rule coordination
- Definition of how Static Analysis responds to inbound requests during the milestone
Product and UX
This section includes other Product and UX context that may not fit into the Looking forward section above.
Product manager: @connorgilbert
- Coordinate FedRAMP application changes, infrastructure analysis, product definition, and delivery. This will occupy a significant portion of my time.
- Move Code Quality forward
- File Opportunity Canvas (Lite) to align with Product leadership
- Update direction pages to:
- Remove metrics not actually used
- Add FP Reduction to narrative
- Specify focus on particular types of detection within Secret Detection
- Propose IaC Security as a standalone category
UX Designer: @mfangman
- See planning issue (link: TODO)
- Prepare SAST profiles and UX Roadmap for broader engagement in the group
- Work on priorities from UX Roadmap (&8141)
Documentation
This section includes group inputs and the plan for Technical Writing in the milestone.
Technical Writing stable counterpart: @rdickenson
Input on group priorities
Draft from 15.7; needs update
From a ~"group::static analysis perspective", the following are key priorities:
- Improving the documentation of the Semgrep-based analyzer: #346839 (closed). Semgrep is being used more and more, so we are facing more questions.
- Clarifying existing Secret Detection coverage: #358755 (closed). We regularly receive support requests and field questions about this behavior.
- Discussion/Meta: Identifying how to reduce duplication between similar feature areas. This would help us with maintenance effort, and help customers see the commonalities between feature categories. For example, we have very similar (almost identical) customization options, and similar ways of setting pinned analyzer versions. Could we refactor the common content out, and thereby slim down the feature-category-by-feature-category content to what's truly unique?
Anticipated release posts and documentation include:
- Any completed deliverable items from above
- Monthly analyzer updates
- Progress on GitLab.com PAT revocation
Planned new content
- As I've taken PTO for half the 15.8 cycle, I won't have time to produce any new content.
Planned maintenance
Quality
This section includes group inputs and the plan for Quality in the milestone.
Quality stable counterpart: @cahamed
Input on group priorities
Team members have been working to identify changes to our rule and analyzer testing. These efforts should inform our proactive Quality efforts this milestone.
Quality plan
Pending from @cahamed