WIP: Establish Static Analysis Group Direction
Establish Static Analysis Group Direction: https://about.gitlab.com/direction/secure/static-analysis/sast/
We need to establish alignment around how the Static Analysis group want to achieve the Secure Stage Vision and have a framework for how we think about problems. This issue is intended to hold discussion as @tmccaslin solidifies a plan for the Static Analysis Group
Stage: Secure
Group: Static Analysis
- Assess your applications and services by scanning your source code for vulnerabilities and weaknesses.
Categories:
-
Static Application Security Testing (SAST)
- direction - #205387 (closed) -
Secret Detection
- direction - #205388 (closed) -
Malware & Virus Detection
Soon - #198276 (closed)
Some strategic pillars I'm considering as overarching themes for our categories:
- How do we protect the most repos from the most common security issues (opportunity for impact)
- How do we choose the least invasive default option for the appropriate level of risk (don’t break the build unless it’s critical)
- Enable configuration and advanced capabilities (ML?) for advanced users (power and flexibility)
- Enable workflows to ensure the appropriate attention on issues and allowing them to be tracked overtime. (trust and tracking)
- Provide integration points (for us internally, but also for external integrators) enabling integrations (be an ecosystem player)
Feedback is welcome. These strategic pillars should be "obvious" and easy to understand, they should not be controversial. If you think they are wrong or misaligned please share your thoughts in a comment.
Within each of these strategic pillars there will be features in various stages of development that help us achieve our group vision.
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.