## Executive Summary This epic covers the general availability (GA) release of AI-powered automatic detection of false positives in Secret Scanning results. Building on the Beta release capabilities, this phase will expand coverage, improve detection accuracy, and introduce additional features based on customer feedback and usage patterns. The solution will analyze Secret Detection findings to identify test credentials, example values, and dummy secrets that are incorrectly flagged as actual security vulnerabilities, providing clear explanations and confidence scores for each determination. #### Engineering Assessment This feature builds upon the Beta release of false positive detection in Secret Detection and extends it with additional capabilities and broader coverage. The implementation will integrate with multiple surfaces in the GitLab UI and provide comprehensive coverage for all severity levels. #### Dependencies - Team dependencies: - Sec AI Experiments team (primary development) - Secret Detection group (Secret Detection scanner integration) - Duo Workflow team (AI infrastructure) #### Initiative Driver - Product or Engineering? - [x] **Product-driven initiatives (P1/P2/P3)** - Customer-facing features or improvements driven by Product teams that require engineering resources and commitment - These initiatives require a Product Priority label (P1/P2/P3) - They may also receive GTM tier labels (T1/T2/T3) for external communication - [ ] **Engineering-driven initiatives (E1/E2/E3)** - Internal technical improvements that may not have customer-facing components - These initiatives require an Engineering Priority label (E1/E2/E3) - They have internal visibility only and are not externally communicated - Examples include: technical debt reduction, infrastructure improvements, refactoring, dependency upgrades #### Sizing and Funding (Optional) - **Size**: L - **Funding Status**: Pending --- ### Hygiene Guidelines :bulb: See additional details about this process at https://handbook.gitlab.com/handbook/product-development/r-and-d-interlock/ ##### :one: Pre-Interlock - [ ] Update epic description with all relevant information - [ ] Ensure all dependencies are identified - [ ] Apply appropriate labels (see below) - [ ] Apply target delivery Milestone - [ ] Update interlock status as discussions progress (via label) ##### :two: Post-Interlock: once quarter begins - Update health status weekly (via label) - Document any newly identified risks or dependencies - Link to implementation epics/issues as work begins - Flag any scope or timeline changes immediately --- ## Related Work - Beta Release: https://gitlab.com/groups/gitlab-org/-/work_items/20152 (Beta Release: Automatic Detection of Secret Scanning False Positives) <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION --> > [!important] > This page may contain information related to upcoming products, features and functionality. > It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. > Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc. <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->