AppSec engineers are responsible for triaging the findings of the GitLab security tools. This role has two primary functions.
For the dashboards to review, please see triage rotation above.
For each finding:
/label ~command) corresponding to the DevOps stage and source group (consult the Hierarchy for an overview on categories forming the hierarchy)
If a vulnerability is identified in a product dependency, the appsec engineer should follow the security development workflow to create a merge request to update the dependency in all supported versions. The merge request should be opened in the GitLab Security repo so that the dependency gets updated in supported backports as well. Vulnerabilities determined to be
High should have merge requests created when identified.
Low vulnerabilities will be addressed by best effort, but always within the 90-day SLA.
The goal of this process is to update dependencies as quickly as possible, and reduce the impact on development teams for minor updates. In the future, this step could be replaced by auto remediation.
If an upgrade to a new major version is required, it might be necessary for the update to be handled directly by the responsible development team.
Security developer workflowtemplate.