Static Analysis Runbooks

When to use this runbook? This runbook is intended to be used when there is a service degaradation in relation to the SAST Automatic Vulnerability Resolution feature. Such degradation can be identified by monitoring the following: Sidekiq Error Rate (in the Static Analysis group dashboard) with Vulnerabilities::MarkDroppedAsResolvedWorker selected. Sidekiq execution Apdex and Error Ratio panels from the Static Analysis error budget. SAST Automatic Vulnerability Resolution The SAST Automatic Vulnerability Resolution feature is built to, as the name implies, automatically resolve vulnerabilities tied to SAST rules that have been disabled or removed.

Analyzer Conversion Lifecycle Many of the SAST analyzers are in the process of being replaced by semgrep. This involves having semgrep takeover the functionality of the legacy analyzer. The steps to achieve this are: Migrate Rules to sast-rules Audit Rules and review licensing Deprecate and remove analyzers This document is concerned with the Deprecate and remove analyzers step. All the deprecation steps must be completed before removal can commence. Analyzer Deprecation 1.