Static Application Security Testing with GitLab CI/CD

Caution: The job definition shown below is supported on GitLab 11.5 and later versions. It also requires the GitLab Runner 11.5 or later. For earlier versions, use the previous job definitions.

This example shows how to run Static Application Security Testing (SAST) on your project’s source code by using GitLab CI/CD.

First, you need GitLab Runner with docker-in-docker executor.

Once you set up the Runner, add a new job to .gitlab-ci.yml that generates the expected report:

sast:
  image: docker:stable
  variables:
    DOCKER_DRIVER: overlay2
  allow_failure: true
  services:
    - docker:stable-dind
  script:
    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
    - docker run
        --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}"
        --volume "$PWD:/code"
        --volume /var/run/docker.sock:/var/run/docker.sock
        "registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code
  artifacts:
    reports:
      sast: gl-sast-report.json

The above example will create a sast job in your CI/CD pipeline and scan your dependencies for possible vulnerabilities. The report will be saved as a SAST report artifact that you can later download and analyze. Due to implementation limitations we always take the latest SAST artifact available.

The results are sorted by the priority of the vulnerability:

  1. Critical
  2. High
  3. Medium
  4. Low
  5. Unknown
  6. Everything else

Behind the scenes, the GitLab SAST Docker image is used to detect the languages/frameworks and in turn runs the matching scan tools.

Tip: For GitLab Ultimate users, this information will be automatically extracted and shown right in the merge request widget. Learn more on SAST in merge requests.

Supported languages and frameworks

See the full list of supported languages and frameworks.

Previous job definitions

Caution: Before GitLab 11.5, SAST job and artifact had to be named specifically to automatically extract report data and show it in the merge request widget. While these old job definitions are still maintained they have been deprecated and may be removed in next major release, GitLab 12.0. You are advised to update your current .gitlab-ci.yml configuration to reflect that change.

For GitLab 11.4 and earlier, the job should look like:

sast:
  image: docker:stable
  variables:
    DOCKER_DRIVER: overlay2
  allow_failure: true
  services:
    - docker:stable-dind
  script:
    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
    - docker run
        --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}"
        --volume "$PWD:/code"
        --volume /var/run/docker.sock:/var/run/docker.sock
        "registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code
  artifacts:
    paths: [gl-sast-report.json]