Support incremental scans for SAST
Problem to solve
GitLab runs a pipeline every time a new change is committed to the repo. The pipeline includes security testing, and it guarantees that the security status is always up to date and that problems are spotted as soon as possible.
This is very useful for users, but if the security checks take too long to complete, the pipeline will be delayed waiting for results. This is not optimal, especially in cases where changes are just impacting a few lines of code. In those cases, the current behavior is to scan all the code again, but most of this effort is not really needed.
We should implement an incremental scan that will target only modified or new code and related files, in order to provide quicker results and shorten pipeline execution time.
Target audience
- Sasha, Software Developer, https://design.gitlab.com/research/personas#persona-sasha
Further details
This is currently supported by other tools, like Checkmarx: https://checkmarx.atlassian.net/wiki/spaces/KC/pages/46661825/Managing+Projects+and+Running+Scans
Proposal
Detect which are the changes for the specific commit, and check security only where needed instead of checking the entire source code repository.
This should be an optional feature, and users should still be able to run a full scan if they need (for example, when scheduling daily security pipelines not related to a specific push event).
What does success look like, and how can we measure that?
We can measure the time spent in security checks for each pipeline. We can count the number of runs where the option to perform the quick scan is enabled or disabled.
What is the type of buyer?
This feature would help developers to increase their productivity, but also executives to justify the cost of the investment and the benefit of having security scans run on every change.