Dogfood Pre-receive SD on Sec Section projects

Overview

In Phase 1, we will aim to enable the feature for projects within the Sec Section.

The goals of this dogfooding are to:

Increase our confidence in the general performance of the feature as it relates to the entire GitLab system
Increase our confidence in the general behavior of the feature, i.e. does it work as expected
Get any general feedback, as well as feedback about the Beta features as they are available

The rough plan for Phase 1 dogfooding:

Enable pre-receive through the Security and Compliance Admin panel
Enable for secrets analyzer (group)
Enable for other Static Analysis/SD analyzers and projects (group).
Expand to other analyzers and Secure projects (stage).
Expand to govern and VR projects (section).

After each step in the plan, we will monitor the performance, first through the Gitaly Latency dashboard for PreReceiveHook, and then through Create baseline monitoring dashboard and runboo... (#455896 - closed) • Ahmed Hemdan • 17.0 when it is complete.

Feature Flag status for select projects

Project (linked to Security Config)	FF Status	Setting Status	Namespace path (for enabling/disabling)
secrets	enabled	enabled	gitlab-org/security-products/analyzers/secrets
code quality	enabled	enabled	gitlab-org/ci-cd/codequality
semgrep	enabled	disabled	gitlab-org/security-products/analyzers/semgrep
android-dependency-scanning	enabled	enabled	components/android-dependency-scanning
browserker	enabled	disabled	gitlab-org/security-products/analyzers/browserker
gemnasium	enabled	enabled	gitlab-org/security-products/analyzers/gemnasium
sast-rules	enabled	enabled	gitlab-org/security-products/sast-rules
lightz	enabled	disabled	gitlab-org/security-products/oxeye/product/lightz
container-scanning	enabled	enabled	gitlab-org/security-products/analyzers/container-scanning
license-processor	enabled	enabled	gitlab-org/security-products/license-db/license-processor
license-feeder	enabled	enabled	gitlab-org/security-products/license-db/license-feeder
	NULL	disabled

Statuses should be:

NULL if it hasn't been enabled yet
enabled
disabled

To keep things organized, we'll initially try limiting to having @rossfuhrman enable the feature flag for given projects. This will be done with a command like:

/chatops run feature set --project=the-namespace/of-the-project pre_receive_secret_detection_push_check true

But, if there are problems, anyone should feel free to disable at their discretion. That would be done with a very similar command, like:

/chatops run feature set --project=the-namespace/of-the-project pre_receive_secret_detection_push_check false

Further instructions can be found in the in-progress runbook page MR: gitlab-com/content-sites/handbook!5164 (merged)

Implementation Plan

Complete Test plan for enabling in Security and Compliance Admin panel
Complete Test plan for secrets analyzer
Enable for selected Static Analysis/SD analyzers and projects and gather feedback
Enable for other selected analyzers and Secure projects and gather feedback
Enable for selected govern and VR projects and gather feedback

Exit Criteria

No show stoppers have been reported
Performance of git pushes is not impacted significantly
Secure and Govern teams have had a chance to get the feature enabled for their relevant projects

Refinement Progress

If a checkbox is not relevant for the issue, please remove it.

This issue describes a problem to solve, or a task to complete, and it's confirmed.
This issue describes a proposal or an implementation plan that outlines a way to solve the problem or complete the task.
This issue is the smallest iteration possible and doesn't require further break down.
This issue has weight set - based on how many tasks or merge requests are required - and needs weight label is removed.
This issue is labeled correctly.
This issue is reviewed by another team member to confirm strategy and estimate.
Finally, add workflowready for development label to this issue.

Edited May 16, 2024 by rossfuhrman