16.0 Planning—Static Analysis
🔒 Secure, Static Analysis - Milestone Planning
This is a planning issue for devopssecure groupstatic analysis, which maintains:
- Category:SAST, including IaC Scanning.
- Category:Secret Detection.
- Category:Code Quality.
See the group handbook page for more about this issue and how it fits into group workflows.
In this issue:
Narrative
Priorities
Key items to deliver
This section lists items that should be ready to deliver (or at least to move forward). Many of these items should be defined as ~Deliverable items, assuming they are feasible to deliver in the milestone.
Status of this list: Finalizing with input on status of carryover work, bugs, maintenance
Initiative | Item | Why? | Area |
---|---|---|---|
16.0 deprecations (all of #356609 (closed)) | Upgrade SAST analyzers to use v15 of the Securi... (#375364 - closed) • Serena Fang, James Liu • 16.0 | Required for %16.0 schema updates | SAST, SD, IaC |
Static Analysis Analyzer consolidation in 16.0 (#390416 - closed) • rossfuhrman • 16.0 | Streamlines maintenance and customer experience; pre-announced for 16.0 breaking change window | SAST | |
Update parsing of *_DISABLED variables in Secur... (#362311 - closed) • rossfuhrman • 16.0 | Addresses customer concern about _DISABLED vars; pre-announced for 16.0 breaking change window | SAST, SD, IaC | |
Consolidate analyzers to improve consistency and customizability | Use SAST-rules repo as single source of truth f... (#390908 - closed) • Craig Smith • 16.1 | Completes long-pending migration; reduces conflicts with other rule changes. See maintenance thread below: #396369 (comment 1323122746) | SAST |
Migrate NodeJS scan rules to Semgrep-based anal... (#395487 - closed) • Craig Smith • 17.0 • Needs attention | Makes it possible to iterate on NodeJS rules the same way as other JS rules; reduces amount of analyzers customers run and we maintain | SAST | |
Migrate Scala SAST coverage from SpotBugs to Se... (#362958 - closed) • Vishwa Bhat • 16.0 • At risk | Further reduces reliance on SpotBugs, which requires compilation; requested by customers | SAST | |
Improve usability of key workflows | Backend - Include SAST findings in inline diff ... (#389867 - closed) • Ahmed Hemdan • 16.0 | Unblocks frontend work toward a significant usability improvement; demonstrates the value of an integrated platform; takes advantage of recent great work in CQ | SAST |
Include SAST findings inline in the MR Changes ... (#384989 - closed) • Jannik Lehmann, Michael Fangman+ • 16.0 | Significant usability improvement; demonstrates the value of an integrated platform; takes advantage of recent great work in CQ | SAST | |
Add CI/CD variable to inject custom SAST, Secre... (#393452 - closed) • Lucas Charles, Michael Fangman+ • 16.1 • On track | MVC toward a significant customer problem; %15.11 delivery chance telegraphed to customers | SAST, IaC | |
VET for Go | Pushes toward detection mode | SAST | |
Reshape Code Quality | Dogfood bring-your-own Code Quality for gitlab-... (#385110) • rossfuhrman • Backlog • On track | Add additional dogfooding opportunities for report ingestion and UI views. Discover issues before customers do! | Code Quality |
IDE integration | Support frontend development for Show CI/CD-pipeline-based vulnerability results... (&9004) | Key point of sales friction; sets us up for future iterations in this area | SAST, SD, IaC |
(POSSIBLE) Implement backend API to unblock existing IDE work: [BE] Add public api endpoint for MR Vulnerabili... (#408350 - closed) • Mehmet Emin INAC • 16.1 | See above | SAST, SD, IaC | |
Advance Secret Detection | Add automatic response for leaked Postman tokens (#403825 - closed) • James Liu • 16.1 | Partner integration, furthers value of auto-response | SD |
@gitlab-org/secure/static-analysis
Looking forward
This section lists items that are in earlier stages of planning. Refining them is an important part of this milestone because it sets us up to work on them in the following milestones. Primary areas of responsibility are listed, but everyone can contribute!
This is almost certainly more than we can take on. It's generally in priority order (most important at the top).
Initiative | Item | Why? | Area |
---|---|---|---|
Improve usability of key workflows | Customer problem: Track secret detection findin... (#387583 - closed) • Unassigned • Backlog | Serious problem with usability over time, makes FP results extremely onerous | SD |
Expand Advanced Vulnerability Tracking to SAST ... (#373921 - closed) • Craig Smith • 16.4 | Possible fast path to improved UX with existing technology/techniques | SAST | |
Longer-term discussion: https://gitlab.com/gitlab-org/gitlab/-/issues/404529+s (team members only) | SAST | ||
Consolidate analyzers to improve consistency and customizability | Evaluate open-source rulesets for Migrate phpcs-security-audit coverage to Semgre... (#364060 - closed) • Adam Cohen • 16.10 | Possible quick win for analyzer coverage | SAST |
Advance Secret Detection | Evaluate Secret Detection findings should not all be Cri... (&10320) for feasibility | See epic for motivation. These may be quick paths to improvement. | SD |
Check-in on Technical discovery: Secret Detection as a plat... (#376716 - closed) • Unassigned • Backlog to identify what we've learned and what gaps remain | This has been a long-running conversation and we've learned a lot. Let's gather our thoughts and see where it pushes us. | SD |
Good candidate issues if time allows
Item | Why? | Area |
---|---|---|
Other Secret Detection partner integrations: Automatic response to leaked secrets: Partner I... (&4944) | Furthers value of auto-response | SD |
Allow configuration of spotbugs effort level (#300234 - closed) • Vishwa Bhat • 16.1 | Quick win for SpotBugs, which runs very long | SAST |
Blocked Frontend Issues to adress next milestone
Please suggest others or add them directly.
Learn and react
We'll engage with these initiatives, and respond within the milestone by filing issues or implementing if feasible:
TBD
Product and UX
This section includes other Product and UX context that may not fit into the Looking forward section above.
Product Manager: @connorgilbert
- Update direction pages to new format
- Engage on MR redesign efforts
- Summarize UX Heuristic review results and schedule for implementation
- Contribute to new Static Analysis JTBDs
UX Designer: @mfangman
- See planning issue (link: TODO)
Documentation
This section includes group inputs and the plan for Technical Writing in the milestone.
Technical Writing stable counterpart: @rdickenson
Input on group priorities
Initial thoughts below
From a groupstatic analysis perspective, the following would likely improve customer outcomes:
Anticipated release posts and documentation include:
- Monthly analyzer updates
Planned new content
TBD
Planned maintenance
- Resolve docs style guide infractions in the "SAST analyzers" page.
Quality
This section includes group inputs and the plan for Quality in the milestone.
Input on group priorities
Team members have been working to identify changes to our rule and analyzer testing. These efforts should inform our proactive Quality efforts this milestone.
Quality plan
Pending