Epic Goal

• Analyze the impact and resolve weaknesses detected by the SAST scan. Note that there may be false positives flagged by the scan; in such cases, JIRAs can be closed without resolution but must include proper justification.

Why is this important?

• To have a single source for analysing SAST scan results
•  
  Checking the ProdSec Weakness Management Standard, Important (I usually associate them as Critical) need to be fixed by the next GitOps version 1.18. 

  Impact rating	Review deadline	Required resolution target (Products)
  Critical	15 Days	Must resolve by the next release (major or minor).
  High	30 Days	Must resolve by the next or following release (major or minor).

Scenarios

1. SAST scan results from minor release

Other Considerations

• Results from nightly runs
• Scan results are available
• Previous work will be added here

Definition of Ready

• The epic has been broken down into stories.
• Stories have been scoped.
• The epic has been stack ranked.

Definition of Done

• Code Complete:
  • All code has been written, reviewed, and approved.
• Tested:
  • Unit tests have been written and passed.
  • Integration tests have been completed.
  • System tests have been conducted, and all critical bugs have been fixed.
  • Tested on OpenShift either upstream or downstream on a local build.
• Documentation:
  • User documentation or release notes have been written.
• Build:
  • Code has been successfully built and integrated into the main repository / project.
• Review:
  • Code has been peer-reviewed and meets coding standards.
  • All acceptance criteria defined in the user story have been met.
  • Tested by reviewer on OpenShift.
• Deployment:
  • The feature has been deployed on OpenShift cluster for testing.
• Acceptance:
  • Product Manager or stakeholder has reviewed and accepted the work.