## Overview GitLab Enterprise Edition includes [SAST scanning](https://docs.gitlab.com/ee/user/application_security/sast/). We are moving it to Core to fulfill [our stewardship promise](https://about.gitlab.com/company/stewardship/#promises). ## Proposal Make the first three SAST capabilities listed below available in all tiers, including Core. Note that the bottom three capabilities should remain in ~"GitLab Ultimate" only |Capability| In Core | In Ultimate | | --- | ------ | ------ | | [Configure SAST Scanners](https://docs.gitlab.com/ee/user/application_security/sast/#configuration) | **Yes** | Yes | | [Customize SAST Settings](https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings) (Overrides, Available Variables, Filters, Timeouts, Settings ) | **Yes** | Yes | | View [JSON Report](https://docs.gitlab.com/ee/user/application_security/sast/#reports-json-format) | **Yes** | Yes | | [Presentation of JSON Report in Merge Request](https://docs.gitlab.com/ee/user/application_security/sast/#overview) | No | Yes | | [Interaction with Vulnerabilities](https://docs.gitlab.com/ee/user/application_security/sast/#interacting-with-the-vulnerabilities) | No | Yes | | [Access to Security Dashboard](https://docs.gitlab.com/ee/user/application_security/sast/#security-dashboard) | No | Yes | We will iteratively move individual scanners from Ultimate to Core, rather than moving all at once. This will benefit us in a few ways: 1. We can move faster, since a single scanner will be smaller and more achievable than moving all at once. 1. Get feedback sooner, so that we can quickly adjust our plans for future scanners based on what we learn. Some other concerns we have about moving all scanners at once include: 1. We haven't moved a scanner before so we're not sure what technical challenges will be present 1. Depending on the amount of community feedback per-scanner, we want to ensure we can provide timely responses and we're not sure how much feedback we'll get on a per-scanner basis yet. ## Non-Engineering Tasks * [ ] Create a dedicated blog post explaining the move - some additional rationale can be found in the [private deliberation issue](https://gitlab.com/gitlab-com/Product/issues/315). - WIP release post for our first scanner https://gitlab.com/gitlab-com/www-gitlab-com/-/merge_requests/52524 * [ ] Collateral & Messaging https://gitlab.com/gitlab-com/Product/-/issues/446 ### Documentation <!-- See the Feature Change Documentation Workflow https://docs.gitlab.com/ee/development/documentation/feature-change-workflow.html Add all known Documentation Requirements here, per https://docs.gitlab.com/ee/development/documentation/feature-change-workflow.html#documentation-requirements If this feature requires changing permissions, this document https://docs.gitlab.com/ee/user/permissions.html must be updated accordingly. --> Update documentation to make the distinction between product tiers clear and what is and is not included in each. ### Testing <!-- What risks does this change pose? How might it affect the quality of the product? What additional test coverage or changes to tests will be needed? Will it require cross-browser testing? See the test engineering process for further help: https://about.gitlab.com/handbook/engineering/quality/test-engineering/ --> Perform end-to-end tests with both a Core and a ~"GitLab Ultimate" license to ensure that the correct functionality is exposed in each license tier. ### What does success look like, and how can we measure that? <!-- Define both the success metrics and acceptance criteria. Note that success metrics indicate the desired business outcomes, while acceptance criteria indicate when the solution is working correctly. If there is no way to measure success, link to an issue that will implement a way to measure this. --> Number of SAST scans done in the first 30 days after moving this to Core. Target => 300% of scans done in previous 30 days. * This will demonstrate that more users are able to successfully use the SAST scanning in Core. ### What is the type of buyer? <!-- Which leads to: in which enterprise tier should this feature go? See https://about.gitlab.com/handbook/product/pricing/#four-tiers --> GitLab Core ### Scanner list - [x] [Security Code Scan](https://gitlab.com/gitlab-org/gitlab/-/issues/227537) ([repository](https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan)) - [x] [pmd](https://gitlab.com/gitlab-org/gitlab/issues/36503) ([repository](https://gitlab.com/gitlab-org/security-products/analyzers/pmd-apex)) - [x] [Flawfinder](https://gitlab.com/gitlab-org/gitlab/issues/34709) ([repository](https://gitlab.com/gitlab-org/security-products/analyzers/flawfinder)) - [x] [Sobelow](https://gitlab.com/gitlab-org/gitlab/issues/36054) ([repository](https://gitlab.com/gitlab-org/security-products/analyzers/sobelow)) - [x] [Gosec](https://gitlab.com/gitlab-org/gitlab/issues/36055) ([repository](https://gitlab.com/gitlab-org/security-products/analyzers/gosec)) - [x] [SpotBugs with the find-sec-bugs plugin](https://gitlab.com/gitlab-org/gitlab/issues/36056) - [x] [ESLint security plugin](https://gitlab.com/gitlab-org/gitlab/issues/34707) ([repository](https://gitlab.com/gitlab-org/security-products/analyzers/eslint)) - [x] [NodeJsScan](https://gitlab.com/gitlab-org/gitlab/issues/34719) ([repository](https://gitlab.com/gitlab-org/security-products/analyzers/nodejs-scan)) - [x] [phpcs-security-audit](https://gitlab.com/gitlab-org/gitlab/issues/36057) ([repository](https://gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit)) - [x] [bandit](https://gitlab.com/gitlab-org/gitlab/issues/36058) ([repository](https://gitlab.com/gitlab-org/security-products/analyzers/eslint)) - [x] [brakeman](https://gitlab.com/gitlab-org/gitlab/issues/34705) ([repository](https://gitlab.com/gitlab-org/security-products/analyzers/brakeman)) - [x] [TSLint config security](https://gitlab.com/gitlab-org/gitlab/issues/36509) ([repository](https://gitlab.com/gitlab-org/security-products/analyzers/tslint)) - [x] [kubesec](https://gitlab.com/gitlab-org/gitlab/-/issues/230625) ([repository](https://gitlab.com/gitlab-org/security-products/analyzers/kubesec)) ### Open Questions - [X] Do we start with all languages? If not, which languages specifically do we start with? - Decision: No, we will start with a first language and then iterate from there. ### Intended users <!-- Who will use this feature? If known, include any of the following: types of users (e.g. Developer), personas, or specific company roles (e.g. Release Manager). It's okay to write "Unknown" and fill this field in later. * [Parker (Product Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#parker-product-manager) * [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#delaney-development-team-lead) * [Presley (Product Designer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#presley-product-designer) * [Devon (DevOps Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#devon-devops-engineer) * [Sidney (Systems Administrator)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sidney-systems-administrator) * [Dana (Data Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#dana-data-analyst) Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/ --> * [Sasha (Software Developer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sasha-software-developer) * [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst) ### Links / references