[x] Choose and migrate a few repositories to gitlab.wikimedia.org for testing purposes (these can be MediaWiki extensions, etc)
[x] PHP/front-end JS (https://gitlab.wikimedia.org/security/secteam-boilerplate-fork)
[x] node (https://gitlab.wikimedia.org/security/service-runner-fork-nodejs)
[x] python (https://gitlab.wikimedia.org/security/pywikibot-fork-python-3)
[x] golang (https://gitlab.wikimedia.org/security/blubber)
[x] java (https://gitlab.wikimedia.org/security/extra-fork-java)
[x] Create initial application security pipeline / ci templates repository under the Security Team space (need to choose a name, see also: T289292) (https://gitlab.wikimedia.org/security/gitlab-ci-security-templates)
[] Migrate existing proof-of-concept node ci templates to slim node wm node docker images and install necessary packages via apt and npm. This was recommended by #release-engineering but there is still some debate regarding this security model (T291978). (@sbassett)
[] Research and design basic ci processing scripts (to exit 1 for tools that report errors and generate report artifacts)
[] Finish node/npm initial tool ci templates
[] `npm audit` (Node 10, 12, 14) (@sbassett)
[] `npm outdated` (Node 10, 12, 14) (@Mstyles)
[] `auditjs` (Node 10, 12, 14) (@Mstyles)
[] `njsscan` (Python - requires research for supported Node versions)
[] `semgrep` (Python - requires research for supported Node versions)
[] `snyk` (Node - but likley licensing issues which may not work with our Gitlab/CI use-case) (@reedy)
[] Potentially benchmark and write tests for the above (needs research - this might not be feasible)
[] Proceed with developing and testing omnibus, singular ci template for node/npm security tooling (might need two for just SCA and SCA + SAST)
[] Investigate [[ https://gitlab.wikimedia.org/help/user/application_security/sast/index | SAST template options now included with Gitlab CE ]] and formulate use-cases and documentation
[] Design and document various use-cases and workflows for application security pipeline
[] Manual/scheduled triggers
[] Merge request workflow trigger (standard ci)
[] Deployment pipeline tests (needs serious consideration as to what passes/fails and when.)
[] Test proof-of-concept tools within the context of use-cases and workflows from above