This example shows how to run Static Application Security Testing (SAST) on your project's source code by using GitLab CI/CD.
All you need is a GitLab Runner with the Docker executor (the shared Runners on
GitLab.com will work fine). You can then add a new job to
sast: image: registry.gitlab.com/gitlab-org/gl-sast:latest script: - /app/bin/run . artifacts: paths: [gl-sast-report.json]
Behind the scenes, the gl-sast Docker image is used to detect the language/framework and in turn runs the matching scan tool.
The above example will create a
sast job in your CI pipeline and will allow
you to download and analyze the report artifact in JSON format.
The results are sorted by the priority of the vulnerability:
- Everything else
sastand the artifact path must be
gl-sast-report.json. Learn more on application security testing results shown in merge requests.
The following languages and frameworks are supported.
|Language / framework||Scan tool|
|Ruby on Rails||brakeman|