16.10 Planning—Static Analysis (SAST/IaC and Secret Detection/Code Quality sub groups)

🔒 Secure, Static Analysis - Milestone Planning

This is a planning issue for devopssecure groupstatic analysis, which maintains:

• Category:SAST, including IaC Scanning.
• Category:Secret Detection.
• Category:Code Quality.

^{See the group handbook page for more about this issue and how it fits into group workflows.}

In this issue:

• Narrative
• Priorities
  • Key items to deliver
  • Looking forward
  • Good candidate issues if time allows
  • Learn and react
  • Product and UX
  • Documentation
  • Quality

Narrative

As we continue to navigate the team split, we'll track both sub teams' %16.10 priorities in this issue.

SAST/IaC team

This milestone, the SAST/IaC team will continue to focus on:

1. Analyzer consolidation, with a goal of deprecating as many analyzers as we can by %17.0.
2. Improving GitLab-maintained SAST rulesets and release process, in collaboration with the VR team.

These efforts directly align with the Result quality and "Day 1" experience and "Day 2" efficiency themes that are described in our 1 year plan.

Secret Detection/Code Quality team

The Secret Detection/Code Quality team will focus on:

1. Pre-receive Secret Detection
   1. Wrapping up the MVC iteration of Pre-receive Secret Detection
   2. Transitioning into the Beta phase. This milestone will be a refinement-heavy milestone in order to make sure the Beta phase is clearly scoped and that we're aligned on the expectations/direction of this iteration.
2. High-impact updates to the current Secret Detection system.
3. Creating a proposal that defines what work is needed in order to move forward with our new direction for Code Quality scanning. This will allow us to share how we plan to implement the BYOT approach that will make it easier for customers to onboard to our Code Quality offering.

Both teams

Both teams will also be working through a discovery effort in order to support the Cells 1.0 initiative. This initiative is one of the top priorities for FY2025, with the goal of providing additional scalability for GitLab.com.

Priorities

Key items to deliver

This section lists items that should be ready to deliver (or at least to move forward). Many of these items should be defined as ~Deliverable items, assuming they are feasible to deliver in the milestone.

Facilitate the split of our group into two

Status of this list: Finalizing with input on status of carryover work, bugs, maintenance

Good candidate issues if time allows

Item	Why?	Area
SAST/SD: Shared remote ruleset configuration is... (#425730 - closed)	This is a highly requested fix that is blocking Ultimate adoption for a number of customers.	Category:SAST

Please suggest others or add them directly.

Product and UX

_This section includes other Product and UX priorities

Product Manager: @connorgilbert

UX Designer: @mfangman

Documentation

This section includes group inputs and the plan for Technical Writing in the milestone.

Technical Writing stable counterpart: @rdickenson

Input on group priorities

Initial thoughts below

From a groupstatic analysis perspective, the following would likely improve customer outcomes:

Anticipated release posts and documentation include:

Planned release posts

• Monthly analyzer updates

Planned new content

Planned maintenance

Quality

This section includes group inputs and the plan for Quality in the milestone.

Input on group priorities

Quality plan

Pending****