Change Details

[x] Choose and migrate a few repositories to gitlab.wikimedia.org for testing purposes (these can be MediaWiki extensions, etc) [x] PHP/front-end JS (https://gitlab.wikimedia.org/security/secteam-boilerplate-fork) [x] node (https://gitlab.wikimedia.org/security/service-runner-fork-nodejs) [x] python (https://gitlab.wikimedia.org/security/pywikibot-fork-python-3) [x] golang (https://gitlab.wikimedia.org/security/blubber) [x] java (https://gitlab.wikimedia.org/security/extra-fork-java) [x] Create initial application security pipeline / ci templates repository under the Security Team space (need to choose a name, see also: T289292) (https://gitlab.wikimedia.org/security/gitlab-ci-security-templates) //...moved some of this to sub-tasks for improved project management...// [] Finish node/npm initial tool ci templates [] `njsscan` (Python - requires research for supported Node versions) [] `semgrep` (Python - requires research for supported Node versions) [] `snyk` (Node - but likley licensing issues which may not work with our Gitlab/CI use-case) (@reedy) [] Potentially benchmark and write tests for the above (needs research - this might not be feasible) [] Proceed with developing and testing omnibus, singular ci template for node/npm security tooling (might need two for just SCA and SCA + SAST) [] Investigate [[ https://gitlab.wikimedia.org/help/user/application_security/sast/index | SAST template options now included with Gitlab CE ]] and formulate use-cases and documentation [] Design and document various use-cases and workflows for application security pipeline [] Manual/scheduled triggers [] Merge request workflow trigger (standard ci) [] Deployment pipeline tests (needs serious consideration as to what passes/fails and when.) [] Test proof-of-concept tools within the context of use-cases and workflows from above

[x] Choose and migrate a few repositories to gitlab.wikimedia.org for testing purposes (these can be MediaWiki extensions, etc) [x] PHP/front-end JS (https://gitlab.wikimedia.org/security/secteam-boilerplate-fork) [x] node (https://gitlab.wikimedia.org/security/service-runner-fork-nodejs) [x] python (https://gitlab.wikimedia.org/security/pywikibot-fork-python-3) [x] golang (https://gitlab.wikimedia.org/security/blubber) [x] java (https://gitlab.wikimedia.org/security/extra-fork-java) [x] Create initial application security pipeline / ci templates repository under the Security Team space (need to choose a name, see also: T289292) (https://gitlab.wikimedia.org/security/gitlab-ci-security-templates) //...moved some of this to sub-tasks for improved project management...// [] Finish node/npm initial tool ci templates [] `njsscan` (Python - requires research for supported Node versions) [] `semgrep` (Python - requires research for supported Node versions) [] `snyk` (Node - but likley licensing issues which may not work with our Gitlab/CI use-case) (@reedy) [] Potentially benchmark and write tests for the above (needs research - this might not be feasible) [] Proceed with developing and testing omnibus, singular ci template for node/npm security tooling (might need two for just SCA and SCA + SAST) [] Design and document various use-cases and workflows for application security pipeline [] Manual/scheduled triggers (already exists within Gitlab - provide doc, best practices) [] Merge request workflow trigger (standard ci) (already exists within Gitlab - provide doc, best practices) [] Deployment pipeline tests (needs serious consideration as to what passes/fails and when.)

[x] Choose and migrate a few repositories to gitlab.wikimedia.org for testing purposes (these can be MediaWiki extensions, etc) [x] PHP/front-end JS (https://gitlab.wikimedia.org/security/secteam-boilerplate-fork) [x] node (https://gitlab.wikimedia.org/security/service-runner-fork-nodejs) [x] python (https://gitlab.wikimedia.org/security/pywikibot-fork-python-3) [x] golang (https://gitlab.wikimedia.org/security/blubber) [x] java (https://gitlab.wikimedia.org/security/extra-fork-java) [x] Create initial application security pipeline / ci templates repository under the Security Team space (need to choose a name, see also: T289292) (https://gitlab.wikimedia.org/security/gitlab-ci-security-templates) //...moved some of this to sub-tasks for improved project management...// [] Finish node/npm initial tool ci templates [] `njsscan` (Python - requires research for supported Node versions) [] `semgrep` (Python - requires research for supported Node versions) [] `snyk` (Node - but likley licensing issues which may not work with our Gitlab/CI use-case) (@reedy) [] Potentially benchmark and write tests for the above (needs research - this might not be feasible) [] Proceed with developing and testing omnibus, singular ci template for node/npm security tooling (might need two for just SCA and SCA + SAST) [] Investigate [[ https://gitlab.wikimedia.org/help/user/application_security/sast/index | SAST template options now included with Gitlab CE ]] and formulate use-cases and documentation [] Design and document various use-cases and workflows for application security pipeline [] Manual/scheduled triggers (already exists within Gitlab - provide doc, best practices) [] Merge request workflow trigger (standard ci) (already exists within Gitlab - provide doc, best practices) [] Deployment pipeline tests (needs serious consideration as to what passes/fails and when.) [] Test proof-of-concept tools within the context of use-cases and workflows from above