16.11 Planning— Secret Detection (SD/CQ)
This is a planning issue for Category:Secret Detection and Category:Code Quality, which is maintained by groupsecret detection.
See the group handbook page for more about this issue and how it fits into group workflows.
In this issue:
Milestone Key Dates
- Duration: 2024-03-16 - 2024-04-12
- Release Date: 2024-04-18
Narrative
- Pre-receive Secret Detection
- In 16.10 we were focused on known MVC followups, plus refining issues for the Beta phase.
- In 16.11, we need to:
- Finish up refinement early in the milestone, with a deadline of the first week.
- Kick off Beta development.
- Account teams and customers are very excited about pre-receive scanning, so let's get it shipped and available to our interested customers (see #439921 (closed))!
- High-impact updates to the current Secret Detection system.
(See direction for discussion of these two themes and how they interact.)
Priorities
Key items to deliver
This section lists items that should be ready to deliver (or at least to move forward). Many of these items should be defined as ~Deliverable items, assuming they are feasible to deliver in the milestone.
Status of this list: Initially reviewed. We will add typemaintenance and typebug items, and ensure that all typefeature work is included, before reviewing the overall list with team members.
| Initiative | Item | Why? |
|---|---|---|
| Existing system | SAST/SD: Shared remote ruleset configuration is... (#425730 - closed) • Ethan Urie • 17.0 | This issue is keeping people from suppressing false positives broadly across their orgs. (Status: This was investigated, put down for Cells, and now up again. Also affects SAST and IaC Scanning. We are driving currently; likely to be a collaboration with Static Analysis team as well.) |
| Existing system | Track Secret Detection findings by filename and... (#434096 - closed) • Vishwa Bhat • 17.0 • On track | Tracking is by line number today, which creates a large number of findings for active repositories. Causes FPs to be re-triaged. Also: Vuln Report now defaults to "Still detected" as a filter. We don't mark SD findings as "no longer detected". And all are Critical so they dominate the display. |
| Pre-receive | Add audit events for pre-receive secret detection (#441185 - closed) • Serena Fang • 16.11 • On track | Affects customer confidence in enabling the feature; we know we'll need auditing of some kind so let's discover how that works now. This could also lead to identifying ways we might need to change the bypass mechanism. |
| Pre-receive | Introduce additional granular controls to toggl... (&13151) • Unassigned | We would like to discover possible complexity. This also enables people to test the feature on a single project or group. Unblocks development of product requirements + technical integration plan for Security Policies. |
Possible tech debt to consider
Looking forward
This section lists items that are in earlier stages of planning. Refining them is an important part of this milestone because it sets us up to work on them in the following milestones. Primary areas of responsibility are listed, but everyone can contribute!
This is almost certainly more than we can take on. It's generally in priority order (most important at the top).
| Initiative | Item | Why? |
|---|---|---|
| Align client-side token warning feature with br... (#405147 - closed) • Dheeraj Joshi • 17.4 | We have a number of different places where secret patterns are defined. As we expand into pre-receive this problem gets worse. | |
| Add detail of potential secrets in client-side ... (#412229 - closed) • Dheeraj Joshi • 17.2 • On track | ||
| Centralize token patterns for various features ... (#415690 - closed) • Craig Smith • 17.7 |
Good candidate issues if time allows
| Item | Why? |
|---|---|
| Runbook for pre-receive | |
| Improve developer experience with secret push p... (&13036 - closed) | Need to refine bypass mechanism |
Please suggest others or add them directly.
Learn and react
We'll engage with these initiatives, and respond within the milestone by filing issues or implementing if feasible:
TBD
Product and UX
This section includes other Product and UX context that may not fit into the Looking forward section above.
Product Manager: @smeadzinger
- Transition tasks
UX Designer: @mfangman
Documentation
This section includes group inputs and the plan for Technical Writing in the milestone.
Technical Writing stable counterpart: @rdickenson
Input on group priorities
Initial thoughts below
From a groupsecret detection perspective, the following would likely improve customer outcomes:
- TBD
Anticipated release posts and documentation include:
- Monthly analyzer updates
Planned new content
TBD
Planned maintenance
TBD
Activity
changed milestone to %16.11
assigned to @amarpatel and @smeadzinger
Carry-over issues from %16.10
Edited by Amar Patel-
@gitlab-org/secure/secret-detection The planning issue for %16.11 is ready for review. Please take a look and let us know if you have any questions! In addition to that, please add any rollover issues that carried over from %16.10, and any bugs or maintenance issues you'd like for us to tackle this milestone.
mentioned in issue technical-writing#1003
@amarpatel Where can I find the status of the pre-receive SD effort for %16.11? I'm sure I've seen an issue mentioned but I now can't find it. If I recall correctly, we're working to move pre-receive SD to Beta status.
- Is my understanding correct, that we're working to move pre-receive SD to Beta status?
- What documentation changes, if any, will we need in changing the status of pre-receive SD?
- Are there any specific improvements you'd like made to the pre-receive SD documentation?
Hi @rdickenson, here's the Beta epic: &12729 (closed).
@ahmed.hemdanhas been posting super helpful weekly updates in the epic to track the current status.
mentioned in issue #425730 (closed)
-
Goodbye %16.11 , it was nice knowing you
Edited by Amar Patel
