16.7 Planning—Static Analysis
🔒 Secure, Static Analysis - Milestone Planning
This is a planning issue for devopssecure groupstatic analysis, which maintains:
- Category:SAST, including IaC Scanning.
- Category:Secret Detection.
- Category:Code Quality.
See the group handbook page for more about this issue and how it fits into group workflows.
In this issue:
Narrative
Priorities
Key items to deliver
This section lists items that should be ready to deliver (or at least to move forward). Many of these items should be defined as ~Deliverable items, assuming they are feasible to deliver in the milestone.
Initiative | Item | Why? | Area | DRI(s) |
---|---|---|---|---|
Build a Ruby gem to perform secrets regex match... (&11612 - closed) | This is one of the two main workstreams we need to complete in order to deliver [MVC] Build first iteration of pre-receive secr... (&11587 - closed) | Category:Secret Detection | ||
Create a push check to run secrets detection sc... (&11613 - closed) | This is one of the two main workstreams we need to complete in order to deliver [MVC] Build first iteration of pre-receive secr... (&11587 - closed) | Category:Secret Detection | ||
MR Changes tab: Make triage easier by adding SA... (&10959) | This will allow us to deliver an initial iteration to our customers that will show SAST findings in the MR changes tab, as well as have the findings details show up in a drawer for both CQ and SAST findings. See this summary update for more detail. | Category:SAST Category:Code Quality | ||
SAST Rule Stuff | There's a handful of initiatives in progress that are setting the groundwork to speed up our Semgrep conversions, which will allow us to deprecate analyzers more efficiently and ultimately improve our SAST ruleset quality as a result. | Category:SAST | ||
[Merge Request Findings] - Iteration 2 - Improv... (&10996 - closed) | This iteration will improve the UX of the recently released MVC for MR findings in VSCode. | |||
Status of this list: Finalizing with input on status of carryover work, bugs, maintenance
Looking forward
This section lists items that are in earlier stages of planning. Refining them is an important part of this milestone because it sets us up to work on them in the following milestones. Primary areas of responsibility are listed, but everyone can contribute!
This is almost certainly more than we can take on. It's generally in priority order (most important at the top).
Initiative | Item | Why? | Area |
---|
Good candidate issues if time allows
Item | Why? | Area |
---|
Please suggest others or add them directly.
Learn and react
We'll engage with these initiatives, and respond within the milestone by filing issues or implementing if feasible:
TBD
Product and UX
This section includes other Product and UX context that may not fit into the Looking forward section above.
Product Manager: @sarahwaldner
UX Designer: @mfangman
Documentation
This section includes group inputs and the plan for Technical Writing in the milestone.
Technical Writing stable counterpart: @rdickenson
Input on group priorities
Initial thoughts below
From a groupstatic analysis perspective, the following would likely improve customer outcomes:
Anticipated release posts and documentation include:
- Monthly analyzer updates
Planned new content
- Complete docs: Improve analyzer documentation around why... (#409127 - closed) (Carried over from 16.5 milestone)
- Review UI designs and UI text for the secret detection hooks
Planned maintenance
Quality
This section includes group inputs and the plan for Quality in the milestone.
Input on group priorities
Team members have been working to identify changes to our rule and analyzer testing. These efforts should inform our proactive Quality efforts this milestone.
Quality plan
Pending