Overview

Bhavya joined as a new security expert, and Kev volunteered for updates and prioritization during the Shadow program.

Nasir called for a detailed process document; Wayne emphasized the need for combining processes in the handbook.

Michael and Jason marked rule issues with priority labels; the team agreed on the importance of clear guidance in the handbook.

Kev plans to keep contributing after his shadow week, focusing on issue prioritization and improving JavaScript rules with TypeScript support.

Team Introductions

Bhavya introduced themselves as a new external contractor at GitLab working with Semgrep tools and brings a security background.

Kev, a community contributor at GitLab, is shadowing Wayne this week.

Shadow Program and Rule Updates

Reference to the Shadow program shared in the Google Doc.

Kev volunteered for updates as part of the Shadow program, and updates were shared in the SAST contractor team channel and forwarded to a channel Kev doesn't have access to.

Rule Enhancement Contributions

Kev added TypeScript support to some JavaScript rules that lacked it, particularly regarding import syntax.

Ruby Rules and Process

Bhavya is excited about starting on Ruby rules and is currently importing community rules for Ruby.

Nasir expressed concerns about many process changes for rule creation and documentation.

Nasir recommended the need for a detailed document with all process changes.

Wayne stressed combining changes into the handbook for a single point of reference to avoid requiring team members to read the change log to understand current processes.

Michael and Jason updated rule issues to include priority labels; Wayne highlighted the importance of adding this information to the handbook for clarity.

Documentation and Process Clarity

Nasir and Wayne talked about ensuring all changes, such as rule prioritization and when to use certain tools, are clearly written in the handbook and that inconsistencies noticed by team members need to be indicated or fixed.

Kev volunteered to help with rule prioritization and mentioned aligning rule severity to priorities during shadowing.

Nasir proposed it would be helpful to create a guide for setting up effective rule testing environments, similar to Jason's VS Code setup, and noted the Duo tool's performance limits.

Appreciation and Recognition

Nasir thanked Jason for containerizing MREs and for the overall assistance, making the process easier.

Bhavya thanked Jason for streamlining processes and Isaac for quick feedback on merge requests.

Wayne showed appreciation towards Bhavya, Nasir, the team, and Kev for their contributions.

Future Contributions

Kev plans to continue with community contributions beyond the shadowing week.

Kev's work this week involved issue prioritization, aligning the severity of rules to priorities, and adding TypeScript support to JavaScript rules.

Additional Remarks

Nasir is compiling issues encountered using the Duo tool and plans to share them with the relevant team, possibly in the form of a research effort or an issue in GitLab.

Wayne reminds the team of the importance of writing down processes for both new and existing team members.