15.11 Planning—Static Analysis

🔒 Secure, Static Analysis - Milestone Planning

This is a planning issue for devopssecure groupstatic analysis, which maintains:

See the group handbook page for more about this issue and how it fits into group workflows.

In this issue:

Narrative

We've delivered some significant improvements in recent milestones, including auto-resolution and the removal of the most false-positive-prone rule we had; check out the release post highlight summarizing these two items.

This milestone we'll focus on our 16.0 deprecations plus some long-in-the-making improvements that should give customers a better experience and avoid bugs.

Team members can also check the metrics we use to assess Static Analysis. Note that this page will be updated in the next few days with more recent data.

Priorities

Key items to deliver

This section lists items that should be ready to deliver (or at least to move forward). Many of these items should be defined as ~Deliverable items, assuming they are feasible to deliver in the milestone.

Item Why? Area
Post-process leaked credentials on all branches... (#299212 - closed) • Ahmed Hemdan • 15.11 Protects public branches and MRs when secrets are first leaked, even before the secrets land on the default branch; broadens reach and impact of existing revocation features SD
Upgrade SAST analyzers to use v15 of the Securi... (#375364 - closed) • Serena Fang, James Liu • 16.0 Required for %16.0 schema updates SAST, SD, IaC
Use SAST-rules repo as single source of truth f... (#390908 - closed) • Craig Smith • 16.1 Completes long-pending migration; reduces conflicts with other rule changes. See maintenance thread below: #396369 (comment 1323122746) SAST
Migrate NodeJS scan rules to Semgrep-based anal... (#395487 - closed) • Craig Smith • 17.0 • Needs attention Makes it possible to iterate on NodeJS rules the same way as other JS rules; reduces amount of analyzers customers run and we maintain SAST
Migrate Scala SAST coverage from SpotBugs to Se... (#362958 - closed) • Vishwa Bhat • 16.0 • At risk Further reduces reliance on SpotBugs, which requires compilation; requested by customers SAST
Static Analysis Analyzer consolidation in 16.0 (#390416 - closed) • rossfuhrman • 16.0 Streamlines maintenance and customer experience; pre-announced for 16.0 breaking change window SAST
Update parsing of *_DISABLED variables in Secur... (#362311 - closed) • rossfuhrman • 16.0 Addresses customer concern about _DISABLED vars; pre-announced for 16.0 breaking change window SAST, SD, IaC
Backend - Include SAST findings in inline diff ... (#389867 - closed) • Ahmed Hemdan • 16.0 Unblocks frontend work toward a significant usability improvement; demonstrates the value of an integrated platform; takes advantage of recent great work in CQ SAST
Add CI/CD variable to inject custom SAST, Secre... (#393452 - closed) • Lucas Charles, Michael Fangman+ • 16.1 • On track MVC toward a significant customer problem; %15.11 delivery chance telegraphed to customer SAST, IaC
Dogfood bring-your-own Code Quality for gitlab-... (#385110 - closed) Add additional dogfooding opportunities for report ingestion and UI views. Discover issues before customers do! Code Quality
Secret Detection: scan results are incorrectly ... (#398036 - closed) • James Liu • 15.11 P1/S1 impacting usability of SD findings SD

This list is intended to include all 16.0 deprecation plans (16.0 Static Analysis Deprecations (#356609 - closed)) so that we have the implementations ready with enough margin before the 16.0 cutoff.

@gitlab-org/secure/static-analysis

Looking forward

This section lists items that are in earlier stages of planning. Refining them is an important part of this milestone because it sets us up to work on them in the following milestones. Primary areas of responsibility are listed, but everyone can contribute!

This list is generally in priority order (most important at the top).

  1. Product/Development/UX: Make progress on this OKR.

  2. Product: Define Code Quality delivery strategy going forward (for &8790 (closed)).

  3. Product/Development: Work on future direction for tracking findings as they move (issue pending).

  4. Product/UX: Define Static Analysis-specific JTBDs to inform future UX planning.

Good candidate issues if time allows

Item Why? Area
Allow configuration of spotbugs effort level (#300234 - closed) • Vishwa Bhat • 16.1 Quick win for SpotBugs, which runs very long SAST
Migrate phpcs-security-audit coverage to Semgre... (#364060 - closed) • Adam Cohen • 16.10 Brings a mostly-unmaintained analyzer to the Semgrep-based analyzer; requested by customers SAST
Any bugs in the thread below, focusing on Quality of Life-type improvements Bugs add up to bad experiences All
Any items that would unblock frontend progress, in the thread below Many features have limited reach or discoverability until they're in the frontend All

Learn and react

We'll engage with these initiatives, and respond within the milestone by filing issues or implementing if feasible:

Product and UX

This section includes other Product and UX context that may not fit into the Looking forward section above.

Product Manager: @connorgilbert

  • Update direction pages to new format

UX Designer: @mfangman

  • See planning issue (link: TODO)

Documentation

This section includes group inputs and the plan for Technical Writing in the milestone.

Technical Writing stable counterpart: @rdickenson

Input on group priorities

Initial thoughts below

From a groupstatic analysis perspective, the following would likely improve customer outcomes:

  • TBD

Anticipated release posts and documentation include:

  • Monthly analyzer updates

Planned new content

Planned maintenance

None due to PTO

Quality

This section includes group inputs and the plan for Quality in the milestone.

Input on group priorities

Team members have been working to identify changes to our rule and analyzer testing. These efforts should inform our proactive Quality efforts this milestone.

Quality plan

Pending

Edited by Connor Gilbert