Remove all SAST QA projects and references
Proposal
SAST migrated from downstream QA tests to image integration tests as part of Improve SAST analyzer tests (#366852 - closed) • rossfuhrman, Lucas Charles+ • 15.9 • Needs attention, however, many references to SAST QA projects still remained after that change and need to be removed, since the secure-test-project-orchestrator pipeline is still running these SAST QA tests for no reason, and they're currently failing.
Implementation Plan
In all of the following SAST test projects and branches, the sast-qa job is returning:
Downstream repos are no longer used for SAST QA testing.
See https://gitlab.com/gitlab-org/gitlab/-/issues/366852 for more information.Therefore, it's safe to remove all SAST QA references, since they're no longer used.
-
The following projects and branches test both SAST and Dependency Scanning. We need to remove SAST and SAST QA references, but keep the Dependency Scanning references: -
-
master -
offline-FREEZE -
java-11-FREEZE
-
-
-
master -
offline-FREEZE -
update-expectation-maven-cli-opts-skip-tests-FREEZE -
maven-cli-opts-skip-tests-FREEZE -
custom-ca-cert-java-8-FREEZE
-
-
-
master -
semgrep-migration-FREEZE -
offline-FREEZE
-
-
-
master -
update-requirements-offline-FREEZE -
advanced-sast-FREEZE -
offline-FREEZE
-
-
-
Delete the following unused SAST-only QA branches: -
Archive the following SAST-only QA test projects. These projects are still triggered by the secure-test-project-orchestrator project and are currently causing the pipeline to fail: -
js -
java-android -
iac -
go-private -
go -
elixir-phoenix -
dotnet5 -
csharp-dotnetcore-multiproject -
cplusplus -
cloudformation -
c -
apex-salesforce -
monorepo-spotbugs -
injuredandroidapk -
ansible -
java-groovy -
ruby-generic -
ruby-bundler-rails -
kotlin-gradle -
python-pip-flask -
nodejs -
kubernetes -
secrets -
typescript-yarn -
terraform
-
/label Category:SAST backend devopsapplication security testing groupstatic analysis maintenanceworkflow sectionsec typemaintenance