FY21 Q3 KR: Dogfood Secure features in the secure department = 50%
Objective (Product): Increase dogfooding, performance, and productivity
This is to track work being done in : gitlab-org/gitlab#30568 (closed)
- Understand what is preventing us from implementing the dogfooding ==> Done
- Enable scanners for SAST, Secret Detection, Dependency Scanning, License Compliance for Secure sub-department ==> Done
- Clean up existing findings to get a fresh run ==> Done
- Triage Initial security findings (create issues or dismiss) and start chipping away at the issues until they are addressed ==> Done
- Monitor new vulnerabilities in the Security Dashboard and wait for them to stabilize (drop to zero) for a week. ==> In Progress
- By end of quarter, enable Security Approvals (blocking MRs on critical/high) Need to involve Laurence B. to figure out process. Secure EMs for first level approvals. David, Wayne and Todd for second level approvals.
- Start to expand to other sections in following quarters
- Enable DAST, fuzzing, container scanning
/CC @clefelhocz1
Retrospective
Good
- Discovered that we need a few features:
- Need a "revert" in case of accidental dismissal: gitlab-org/gitlab#230558 (closed)
- Need a way to bulk change the state of vulns: gitlab-org/gitlab#227284 (closed)
- Need to be able to set the state back to "open": gitlab-org/gitlab#230558 (closed)
- Need to be able to exempt certain folders/sub-folders. This is particularly necessary within Secure since a lot of our test folders intentionally have vulns: gitlab-org/gitlab#238117
Bad
- Accidentally dismissed all analyzer repo vulns. Created this issue to adjust the tables
- We discovered that we didn't have vendored templates for our shared analyzer CI config enabled for secret detection and dependency scanning
- Starting to run into usability issues
Try
- Need to add the /label Dogfooding to all vulns found from this
- Redo how we track vulns to reduce FPs
Edited by Todd Stadelhofer