### Problem to solve There is a lack of control over logging and a lack of convention for our [Security Analyzers](https://gitlab.com/gitlab-org/security-products/analyzers). ### Intended users ~"Persona: Software developer" ### Tasks https://gitlab.com/gitlab-org/security-products/analyzers/common/-/merge_requests/73 has an example of how to use the common logrus format. - [x] Document `SECURE_LOG_LEVEL` in GitLab docs. - [x] https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html - [x] https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html - [x] https://docs.gitlab.com/ee/user/application_security/sast/index.html - [x] https://docs.gitlab.com/ee/user/application_security/secret_detection/index.html - [x] Update https://docs.gitlab.com/ee/development/integrations/secure.html to mention how to use logrus / common logrus format. - [x] Replace fmt print and log calls with the appropriate [logrus] calls in [common](https://gitlab.com/gitlab-org/security-products/analyzers/common). - [x] Add support for the `SECURE_LOG_LEVEL` env var in [common](https://gitlab.com/gitlab-org/security-products/analyzers/common). - [x] (Static Analysis) replace fmt print and log calls with the appropriate [logrus] calls in: - [x] [bandit](https://gitlab.com/gitlab-org/security-products/analyzers/bandit) - [x] [brakeman](https://gitlab.com/gitlab-org/security-products/analyzers/brakeman) - [x] [eslint](https://gitlab.com/gitlab-org/security-products/analyzers/eslint) - [x] [flawfinder](https://gitlab.com/gitlab-org/security-products/analyzers/flawfinder) - [x] [gosec](https://gitlab.com/gitlab-org/security-products/analyzers/gosec) - [x] [kubesec](https://gitlab.com/gitlab-org/security-products/analyzers/kubesec) - [x] [nodejs-scan](https://gitlab.com/gitlab-org/security-products/analyzers/nodejs-scan) - [x] [phpcs-security-audit](https://gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit) - [x] [pmd-apex](https://gitlab.com/gitlab-org/security-products/analyzers/pmd-apex) - [x] [secrets](https://gitlab.com/gitlab-org/security-products/analyzers/secrets) - [x] [security-code-scan](https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan) - [x] [sobelow](https://gitlab.com/gitlab-org/security-products/analyzers/sobelow) - [x] [spotbugs](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) - [x] [tslint](https://gitlab.com/gitlab-org/security-products/analyzers/tslint) - [x] (Dependency Scanning) replace fmt print and log calls with the appropriate [logrus] calls in: - [x] [bundler-audit](https://gitlab.com/gitlab-org/security-products/analyzers/bundler-audit) - [x] [gemnasium-maven](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven) - [x] [gemnasium-python](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-python) - [x] [gemnasium](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium) - [x] [retire.js](https://gitlab.com/gitlab-org/security-products/analyzers/retire.js) - [x] Update klar to use the common logutil for setting the formatter ### What does success look like, and how can we measure that? - All output is configurable via [logrus] - `fmt` is no longer used to output messages - There is a convention documented for the developer of Security Products and it's executed for any new Security Product project created ### What is the type of buyer? - ~"GitLab Ultimate" users - users of the Security Products in their standalone form (as Docker images) ### Links / references Started as a side-talk within #9592 [logrus]: https://docs.gitlab.com/ee/development/go_guide/index.html#how-to-use-logrus