Static Analysis Group Reaction Rotation

Reaction Rotation

Each milestone, two engineers in the team are assigned the role of Reaction Rotation, one as Primary and the other as Secondary. The assignments are in the rotation schedule.

The Secondary role is to step-in when the Primary is unavailable or over capacity. In such instances, the Secondary assumes the same responsibilities as the Primary, but otherwise they work on tasks planned for the milestone.

Responsibilities

The Reaction Rotation role has these responsibilities:

• Perform SAST Analyzer Vulnerability Management
• Respond to Requests for Help
• Answer Slack Questions
• At the end of rotation update the membership for @gitlab-org/secure/static-analysis/reaction-rotation by removing the current engineers, and adding the next ones.

The Primary engineer can solicit help from the other engineers in the team. For example, when a task is not in their area of expertise, and they have already spent significant time (i.e. hours) without much progress; or when they’re unable to keep-up with the volume of tasks.

Assistance should initially come from the Secondary engineer as to minimize disruption to milestone deliverables but all engineers should take into consideration that they may be pulled in to assist on a rotation task.

SAST Analyzer Vulnerability Management

The vulnerabilities for analyzers owned by Static Analysis need to be triaged and addressed.

1. Go to the list of vulnerabilities for SAST/IaC (sorted by SLO)
2. In decreasing order of severity, assign yourself to the issue.
3. Work on the issue:
   1. fix the bug; or
   2. determine whether it needs to remain open, and handle the SLO exception process.

Requests for Help

Issues are created in the section-sec-request-for-help project. During Reaction Rotation, the assigned engineer must review the open issues and engage with each issue.

If a request for help highlights a bug or feature request, create an issue in the public tracker, link to it in the request for help issue, and close the latter.

Slack Questions

Check the Static Analysis Slack Channel and respond to any questions asked or delegate/ping a person that may know the answer. As with Requests for Help, if the question concerns a bug or feature request, create an issue.