Composition Analysis - Reaction Rotation for 17.2
Proposal
Handle tasks associated with our Reaction Rotation process
DRI
- primary @atiwari71
- secondary @nilieskou
Responsibilities - Security
-
Triage vulnerabilities reported on the projects we maintain and help resolving them depending on their priority. (See Security vulnerabilities triaging process) -
Check for security automation failures -
Check for new security releases of our dependencies and ensure we use them: -
Upstream scanners -
Trivy
-
-
Container base images -
license-interfacer https://gitlab.com/gitlab-org/security-products/license-db/license-interfacer/-/merge_requests/109 -
license-processor https://gitlab.com/gitlab-org/security-products/license-db/license-processor/-/merge_requests/65 -
container-scanning gitlab-org/security-products/analyzers/container-scanning!3047 (merged)
-
-
Application dependencies -
Programming language
-
-
Refine scheduled security issues. -
Consider creating or updating any automation or tooling (related to security, maintainership or support!)
Responsibilities - Support
-
Monitor slack channels for questions, support requests, and alerts. While other team members may respond to these requests, the engineer assigned to the reaction rotation is expected to handle them primarily. If a support engineer requests assistance via Slack and it requires investigation or debugging, they should be directed to raise an issue in a dedicated project. -
Monitor Section Sec Request For Help project for support requests. -
Refine scheduled bugs and maintenance issues.
Responsibilities - Maintainership
-
Work with community contributors to help drive their merge requests to completion (more information on community contributions triaging process). -
Check for new versions of languages or package managers that we support, or deprecation / removal of support for the same and notify Engineering Manager and Product Manager via issue. - Check for new versions of our dependencies (not related to security):
-
Upstream scanners (see Updating an upstream scanner). -
Container base images. -
Application dependencies. -
Programming language. -
Check in on test failures. Check relevant slack channels (#g_secure-composition-analysis-alerts, #s_secure-alerts). -
Check latest pipelines for any release failures. If any issue is preventing the automated release process from running, begin the release failure escalation process. -
Consider creating or updating any automation or tooling (related to security, maintainership or support!). - Monitor failures and errors on license-db project, use the
#f_licese_database
Slack channel for communication about these items, so other team members can provide the support.
- Monitor failures and errors on license-db project, use the
-
Check latest scheduled pipelines of license-db for any failures. Ensure that pipelines pass or create an issue to fix the failure. - Monitor the Slack channel
#g_secure-composition-analysis-alerts
for any incidents on the license-db infrastructure.
- Monitor the Slack channel
-
In case of an incident react with 👁 ️ to indicate that you are looking into it. -
If the incident isn’t resolved in 30 minutes or more, investigate on it. -
Write down in the insident Slack thread all the steps that were done to resolve it.
/cc @thiagocsf
Edited by Aditya Tiwari