Static Application Security Testing (SAST)

All open source (OSS) analyzers were moved from GitLab Ultimate to GitLab Free in GitLab 13.3.

note
The whitepaper “A Seismic Shift in Application Security” explains how 4 of the top 6 attacks were application based. Download it to learn how to protect your organization.

If you’re using GitLab CI/CD, you can use Static Application Security Testing (SAST) to check your source code for known vulnerabilities. You can run SAST analyzers in any GitLab tier. The analyzers output JSON-formatted reports as job artifacts.

With GitLab Ultimate, SAST results are also processed so you can:

  • See them in merge requests.
  • Use them in approval workflows.
  • Review them in the security dashboard.

For more details, see the Summary of features per tier.

SAST results shown in the MR widget

The results are sorted by the priority of the vulnerability:

  1. Critical
  2. High
  3. Medium
  4. Low
  5. Info
  6. Unknown

A pipeline consists of multiple jobs, including SAST and DAST scanning. If any job fails to finish for any reason, the security dashboard does not show SAST scanner output. For example, if the SAST job finishes but the DAST job fails, the security dashboard does not show SAST results. On failure, the analyzer outputs an exit code.

Use cases

  • Your code has a potentially dangerous attribute in a class, or unsafe code that can lead to unintended code execution.
  • Your application is vulnerable to cross-site scripting (XSS) attacks that can be leveraged to unauthorized access to session data.

Requirements

SAST runs in the test stage, which is available by default. If you redefine the stages in the .gitlab-ci.yml file, the test stage is required.

To run SAST jobs, by default, you need GitLab Runner with the docker or kubernetes executor. If you’re using the shared runners on GitLab.com, this is enabled by default.

caution
Our SAST jobs require a Linux/amd64 container type. Windows containers are not yet supported.
caution
If you use your own runners, make sure the Docker version installed is not 19.03.0. See troubleshooting information for details.

Supported languages and frameworks

GitLab SAST supports a variety of languages, package managers, and frameworks. Our SAST security scanners also feature automatic language detection which works even for mixed-language projects. If any supported language is detected in project source code we automatically run the appropriate SAST analyzers.

You can also view our language roadmap and request other language support by opening an issue.

Language (package managers) / framework Scan tool Introduced in GitLab Version
.NET Core Security Code Scan 11.0
.NET Framework1 Security Code Scan 13.0
Apex (Salesforce) PMD 12.1
C Semgrep 14.2
C/C++ Flawfinder 10.7
Elixir (Phoenix) Sobelow 11.1
Go Gosec 10.7
Go Semgrep 14.4
Groovy2 SpotBugs with the find-sec-bugs plugin 11.3 (Gradle) & 11.9 (Ant, Maven, SBT)
Helm Charts Kubesec 13.1
Java (any build system) Semgrep 14.10
Java2 SpotBugs with the find-sec-bugs plugin 10.6 (Maven), 10.8 (Gradle) & 11.9 (Ant, SBT)
Java (Android) MobSF (beta) 13.5
JavaScript ESLint security plugin 11.8
JavaScript Semgrep 13.10
Kotlin (Android) MobSF (beta) 13.5
Kotlin (General)2 SpotBugs with the find-sec-bugs plugin 13.11
Kubernetes manifests Kubesec 12.6
Node.js NodeJsScan 11.1
Objective-C (iOS) MobSF (beta) 13.5
PHP phpcs-security-audit 10.8
Python (pip) bandit 10.3
Python Semgrep 13.9
React ESLint react plugin 12.5
React Semgrep 13.10
Ruby brakeman 13.9
Ruby on Rails brakeman 10.3
Scala2 SpotBugs with the find-sec-bugs plugin 11.0 (SBT) & 11.9 (Ant, Gradle, Maven)
Swift (iOS) MobSF (beta) 13.5
TypeScript ESLint security plugin 11.9, merged with ESLint in 13.2
TypeScript Semgrep 13.10
  1. .NET 4 support is limited. The analyzer runs in a Linux container and does not have access to Windows-specific libraries or features. We currently plan to migrate C# coverage to Semgrep-based scanning to make it easier to scan C# projects.
  2. The SpotBugs-based analyzer supports Ant, Gradle, Maven, and SBT. It can also be used with variants like the Gradle wrapper, Grails, and the Maven wrapper.

Multi-project support

Introduced in GitLab 13.7.

GitLab SAST can scan repositories that contain multiple projects.

The following analyzers have multi-project support:

  • Bandit
  • ESLint
  • Gosec
  • Kubesec
  • NodeJsScan
  • MobSF
  • PMD
  • Security Code Scan
  • Semgrep
  • SpotBugs
  • Sobelow

Enable multi-project support for Security Code Scan