Static Analysis Group Reaction Rotation
Reaction Rotation
Each iteration, two member of the Static Analysis blue team will be assigned the role of Reaction Rotation, one as Primary and the other as Secondary. The assigned engineers will be marked as primary and secondary in the “Reaction Rotation” section of the planning issue. For example, @craigmsmith was assigned as Primary and @adamcohen as Secondary in 17.3.
Primary Reaction Rotation
Responsibilities
The Reaction Rotation role has three main responsibilities:
SAST Analyzer Vulnerability Management
The vulnerabilities for each SAST/IaC analyzer need to be triaged and addressed.
- Go to the list of vulnerabilities for SAST/IaC (sorted by SLO)
- Go through unassigned, prioritized bugs, by severity
- Assign yourself
- Fix the bug / determine whether it needs to remain open / provide a workaround, tag EM & PM
- Update the issue
Requests for Help
Periodically, questions are posted in the section-sec-request-for-help project. During Reaction Rotation, the assigned engineer should review the Static Analysis Requests for Help and engage with each issue. If a request for help highlights a bug or feature request, create an issue for the bug, close the request for help and tag @gitlab-org/secure/static-analysis/blue, EM and PM so that the bug can be prioritized.
Slack Questions
Check the Static Analysis Slack Channel and respond to any questions asked or delegate/ping a person that may know the answer. As with Requests for Help, if the question concerns a bug or feature request, create an issue and tag @gitlab-org/secure/static-analysis/blue, EM and PM so that it can be prioritized.
Secondary Reaction Roatation
Responsibilities
The Secondary Reaction Rotation role is to support the Primary, stepping in only when the Primary is unavailable due to being over capacity or out of the office. In such instances, the Secondary will assume the same responsibilities as the Primary, ensuring continuity and efficiency in managing reaction rotation tasks. The goal is to provide seamless coverage, maintaining the same standards and quality of service as expected from the Primary.
cfa0a72a)
