Create a guide for how-to tune SAST rules and contribute those back to GitLab
Problem to solve
The detection rules we make available for the semgrep SAST analyzer are source available in the sast-rules repository. Documentation has been produced describing what this repository is and how it used. We have also produced documentation showing how rules can be customized on a project-by-project basis. What we haven't done is document what is necessary for account team members or customers to tune rules to improve the quality of customer results and contribute rule updates back to GitLab.
Further details
We have a lot of customer requests and escalations when SAST results do not meet customer expectations. It is possible to optimize these results to meet customer's specific risk thresholds. We want to enable the field (and customers, where appropriate) to be able to do this without the direct involvement of Product and Engineering in the triage & tuning process. Rules that are contributed back to GitLab will be reviewed and merged to production by engineering. We will be writing a how-to guide in partnership with Customer Success Engineering.
Proposal
Create a how-to guide that walks a user through understanding their SAST results, identifying rules that need to be tuned or disabled, and how to create new rules themselves (if desired) and contribute those to GitLab. Documentation required is most likely extensive, with the following topics covered:
- Understanding your SAST results
- Identifying which rules need to be tuned or disabled and how to do this
- Rule Creation:
- Syntax reference
- Style guide
- Testing expectations
- Licensing considerations
- Release processes
Other links/references
- https://gitlab.com/gitlab-org/security-products/sast-rules/-/blob/main/docs/enhance-rule-checklist.md?ref_type=heads
- https://gitlab.com/gitlab-org/security-products/sast-rules/-/blob/main/docs/sast-rule-reviewer-checklist.md?ref_type=heads
- https://gitlab.com/gitlab-org/security-products/sast-rules/-/blob/main/docs/update-rule-process.md?ref_type=heads
- https://gitlab.com/gitlab-org/security-products/sast-rules/-/blob/main/CONTRIBUTING.md?ref_type=heads
- https://gitlab.com/gitlab-org/security-products/sast-rules/-/blob/main/README.md?ref_type=heads
- SAST Rules Enhancement Issue Template