Static Analysis Runbooks

Overview

This page lists runbooks used by the Static Analysis team for monitoring, mitigating and responding to an incident.

Runbooks

How to monitor and respond to issues with SAST Automatic Vulnerability Resolution?

When to use this runbook?

This runbook is intended to be used when there is a service degaradation in relation to the SAST Automatic Vulnerability Resolution feature. Such degradation can be identified by monitoring the following:

SAST Automatic Vulnerability Resolution

The SAST Automatic Vulnerability Resolution feature is built to, as the name implies, automatically resolve vulnerabilities tied to SAST rules that have been disabled or removed.

SAST analyzer deprecation and removal instructions

Analyzer Conversion Lifecycle

Many of the SAST analyzers are in the process of being replaced by semgrep. This involves having semgrep takeover the functionality of the legacy analyzer.

The steps to achieve this are:

  1. Migrate Rules to sast-rules
  2. Audit Rules and review licensing
  3. Deprecate and remove analyzers

This document is concerned with the Deprecate and remove analyzers step. All the deprecation steps must be completed before removal can commence.

SAST analyzer rollback to last version in production

Rolling back analyzer to previous minor or patch version

This runbook provides instructions for rolling back an analyzer to a previous version in case of a high severity incident in a faulty release. It is an immediate stop-gap measure to ensure a smooth user experience for our customer. It is intended for engineers responsible for maintaining and troubleshooting issues in an analyzer.

Note: This runbook is relevant for analyzers that utilize the ci-templates by including either analyzer.yml, or docker.yml directly.

Last modified August 1, 2024: Static analysis: Added runbook for analyzer rollback procedure (a2f35928)
View page source - Edit this page - please contribute. Creative Commons License