Dogfood Pre-receive SD on Sec Section projects
Overview
In Phase 1, we will aim to enable the feature for projects within the Sec Section.
The goals of this dogfooding are to:
- Increase our confidence in the general performance of the feature as it relates to the entire GitLab system
- Increase our confidence in the general behavior of the feature, i.e. does it work as expected
- Get any general feedback, as well as feedback about the Beta features as they are available
The rough plan for Phase 1 dogfooding:
- Enable pre-receive through the Security and Compliance Admin panel
- Enable for secrets analyzer (group)
- Enable for other Static Analysis/SD analyzers and projects (group).
- Expand to other analyzers and Secure projects (stage).
- Expand to govern and VR projects (section).
After each step in the plan, we will monitor the performance, first through the Gitaly Latency dashboard for PreReceiveHook, and then through Create baseline monitoring dashboard and runboo... (#455896 - closed) • Ahmed Hemdan • 17.0 when it is complete.
Feature Flag status for select projects
Project (linked to Security Config) | FF Status | Setting Status | Namespace path (for enabling/disabling) |
---|---|---|---|
secrets | enabled | enabled | gitlab-org/security-products/analyzers/secrets |
code quality | enabled | enabled | gitlab-org/ci-cd/codequality |
semgrep | enabled | disabled | gitlab-org/security-products/analyzers/semgrep |
android-dependency-scanning | enabled | enabled | components/android-dependency-scanning |
browserker | enabled | disabled | gitlab-org/security-products/analyzers/browserker |
gemnasium | enabled | enabled | gitlab-org/security-products/analyzers/gemnasium |
sast-rules | enabled | enabled | gitlab-org/security-products/sast-rules |
lightz | enabled | disabled | gitlab-org/security-products/oxeye/product/lightz |
container-scanning | enabled | enabled | gitlab-org/security-products/analyzers/container-scanning |
license-processor | enabled | enabled | gitlab-org/security-products/license-db/license-processor |
license-feeder | enabled | enabled | gitlab-org/security-products/license-db/license-feeder |
NULL | disabled |
Statuses should be:
- NULL if it hasn't been enabled yet
- enabled
- disabled
To keep things organized, we'll initially try limiting to having @rossfuhrman enable
the feature flag for given projects. This will be done with a command like:
/chatops run feature set --project=the-namespace/of-the-project pre_receive_secret_detection_push_check true
But, if there are problems, anyone should feel free to disable at their discretion. That would be done with a very similar command, like:
/chatops run feature set --project=the-namespace/of-the-project pre_receive_secret_detection_push_check false
Further instructions can be found in the in-progress runbook page MR: gitlab-com/content-sites/handbook!5164 (merged)
Implementation Plan
-
Complete Test plan for enabling in Security and Compliance Admin panel -
Complete Test plan for secrets analyzer -
Enable for selected Static Analysis/SD analyzers and projects and gather feedback -
Enable for other selected analyzers and Secure projects and gather feedback -
Enable for selected govern and VR projects and gather feedback
Exit Criteria
-
No show stoppers have been reported -
Performance of git pushes is not impacted significantly -
Secure and Govern teams have had a chance to get the feature enabled for their relevant projects
Refinement Progress
If a checkbox is not relevant for the issue, please remove it.
-
This issue describes a problem to solve, or a task to complete, and it's confirmed. -
This issue describes a proposal or an implementation plan that outlines a way to solve the problem or complete the task. -
This issue is the smallest iteration possible and doesn't require further break down. -
This issue has weight set - based on how many tasks or merge requests are required - and needs weight label is removed. -
This issue is labeled correctly. -
This issue is reviewed by another team member to confirm strategy and estimate. -
Finally, add workflowready for development label to this issue.