Docs on Secure analyzer usage tips
Problem to solve
There is no documentation or guidance on how to best implement and maintain custom configuration in GitLab Secure CI job templates.
When Secure templates are hard-coded and not maintained, or they are heavily customized, problems are more likely to occur.
Docs on best practices for implementing (and overriding) Secure CI jobs could be a valuable reference for our customers and team.
Further details
The CI job templates that are included via include: template:
in .gitlab-ci.yml
are version-controlled CI job templates that we ship with our self-managed product.
When the Secure stage CI jobs are hard-coded instead of include: template:
-ed, users miss out on any updates/improvements/changes that were made to the templates when upgrading their GitLab version.
When the Secure scanner default jobs are customized or overridden, the chance of things breaking increases.
For best results, customers should include: template:
the relevant Secure feature CI template, add any required variables, and otherwise customize it as little as possible.
Proposal
Add a "Best Practices" section to the Application Security docs page.
Who can address the issue
@greg, the Secure team, anybody. Everyone can contribute.
Other links/references
Discussed in SAST office hours on 2021-08-19.