Discuss design approaches for the future of Dependency Scanning and Static Reachability

Introduction

In this issue we can discuss approaches and trade-offs regarding the future of Dependency Scanning. This discussion was triggered from the fact that Static Reachability belongs with software composition analysis. Currently (experimental) it is located in the Jobs/SAST.latest.gitlab-ci.yml.

Proposals

• Create a new SCA.gitlab-ci.yml template that has the new DS analyzer for dependency scanning and the static reachability feature (#523358 (closed)).
• Add new specific and per feature templates. One template for DS and one for Static Reachability.
• Introduce a Dependency-Scanning.v2.gitlab-ci.yml template and consider the current DS stable template as v1. See related proposal: Add versioning and spec:inputs to AST CI/CD tem... (#523986)
• Use Dependency-Scanning.latest.gitlab-ci.yml for Static reachability but use it only for the new DS analyzer.

Outcomes

We've decided to use Dependency-Scanning.latest.gitlab-ci.yml for the Beta of Static reachability. This is tracked in Enable Static Reachability in the latest DS tem... (#523358 - closed) • Nick Ilieskou • 17.11 • At risk

What we will use for the GA of Static Reachabilty will depend on ongoing discussions about the transition from Gemnasium to the new DS analyzer and how we organize our CI/CD templates. It's likely to be one of these options:

• use the stable Dependency-Scanning.gitlab-ci.yml` CI/CD template.
• use a new template (new name or new version of the DS template).