Create or curate recommended testing/example projects
## Background Benchmarks and intentionally-vulnerable apps can be misleading or unrepresentative in many ways. However, many evaluators use them because their own projects don't have a known set of vulnerabilities in them. (Running a SAST tool against your own code may give you a sense of its false-positive rate as you read its findings, but it's hard to reason about its false-negative rate if you don't have a set of known vulnerabilities to assess against.) ## Goal - Guide users to high-quality benchmarks so they can efficiently test how GitLab SAST performs. - Explain known behavior and interpretive notes in advance so that we can clearly demonstrate that we: - Know how our product performs. - Aren't just reactively coming up with explanations or reasons for certain observed behavior. - (Often we may know this context internally, but only sharing it after a customer request can make that less credible.) ## Proposal Recommend 1 or 2 benchmark/testing codebases per language that users can test with. Document any "gotchas" with enabling scanning for those projects or interpreting the project's results.
epic