12.2 Secure retrospective
This is an asynchronous retrospective for the 12.2 release, following the process described in the handbook.
This issue is private (confidential) to the Secure team, plus anyone else who worked with the team during 12.2, to ensure everyone feels comfortable sharing freely. On 2019-09-19, in preparation for the engineering-wide 12.2 Retrospective, the issue will be opened up to the public, as long as everyone is comfortable with this. You're free to redact any comments that contain information that you'd like to stay private before that date.
Please look at back at your experiences working on this release, ask yourself
For each point you want to raise, please create a new discussion with the relevant emoji, so that others can weigh in with their perspectives, and so that we can easily discuss any follow-up action items in-line.
If there is anything you are not comfortable sharing here, please message your manager directly. Note, however, that 'Emotions are not only allowed in retrospectives, they should be encouraged', so we'd love to hear from you here if possible.
Issues we shipped
- Add Dependency Scanning to Dependency List - Add vulnerabilities to response
- Transition License Management to Python 3 by default instead of Python 2
- Q2 Secure experience baselines: managing licenses (accountability)
- 2019 Q2 - Secure experience baselines: Interacting with vulnerabilities in the MR
- Support uploading of multiple security reports of the same category
- Properly fix the split dropdown
- Document all the available options for SAST
- OWASP WebGoat project support: Dependency Scanning
- Auditor users should be able to see the group and project Security Dashboards
- Add security features into the nav
- Engineering & UX Discovery: Disallow merge if a blacklisted license is found
- More issues - this list only includes deliverables!
Issues that slipped
No missed deliverables found; great job!
- Total deliverables closed: 11
- Total issues closed: 39
- Total MRs merged: 88