SAST Analyzers

SAST relies on underlying third party tools that are wrapped into what we call “Analyzers”. An analyzer is a dedicated project that wraps a particular tool to:

  • Expose its detection logic.
  • Handle its execution.
  • Convert its output to the common format.

This is achieved by implementing the common API.

SAST supports the following official analyzers:

The analyzers are published as Docker images that SAST will use to launch dedicated containers for each analysis.

SAST is pre-configured with a set of default images that are maintained by GitLab, but users can also integrate their own custom images.

Official default analyzers

Any custom change to the official analyzers can be achieved by using an environment variable in your .gitlab-ci.yml.

Using a custom Docker mirror

You can switch to a custom Docker registry that provides the official analyzer images under a different prefix. For instance, the following instructs SAST to pull my-docker-registry/gl-images/bandit instead of registry.gitlab.com/gitlab-org/security-products/analyzers/bandit. In .gitlab-ci.yml define:

include:
  template: SAST.gitlab-ci.yml

variables:
  SAST_ANALYZER_IMAGE_PREFIX: my-docker-registry/gl-images

This configuration requires that your custom registry provides images for all the official analyzers.

Selecting specific analyzers

You can select the official analyzers you want to run. Here’s how to enable bandit and flawfinder while disabling all the other default ones. In .gitlab-ci.yml define:

include:
  template: SAST.gitlab-ci.yml

variables:
  SAST_DEFAULT_ANALYZERS: "bandit,flawfinder"

bandit runs first. When merging the reports, SAST will remove the duplicates and will keep the bandit entries.

Disabling default analyzers

Setting SAST_DEFAULT_ANALYZERS to an empty string will disable all the official default analyzers. In .gitlab-ci.yml define:

include:
  template: SAST.gitlab-ci.yml

variables:
  SAST_DEFAULT_ANALYZERS: ""

That’s needed when one totally relies on custom analyzers.

Custom Analyzers

You can provide your own analyzers as a comma separated list of Docker images. Here’s how to add analyzers/csharp and analyzers/perl to the default images: In .gitlab-ci.yml define:

include:
  template: SAST.gitlab-ci.yml

variables:
  SAST_ANALYZER_IMAGES: "my-docker-registry/analyzers/csharp,amy-docker-registry/analyzers/perl"

The values must be the full path to the container registry images, like what you would feed to the docker pull command.

Note: This configuration doesn’t benefit from the integrated detection step. SAST has to fetch and spawn each Docker image to establish whether the custom analyzer can scan the source code.
Caution: Custom analyzers are not spawned automatically when Docker In Docker is disabled.

Analyzers Data

Property \ ToolApexBanditBrakemanESLint securityFind Sec BugsFlawfinderGo AST ScannerKubesec ScannerNodeJsScanPhp CS Security AuditSecurity code Scan (.NET)SobelowTSLint Security
Severity𐄂𐄂𐄂𐄂𐄂𐄂
Title
Description𐄂𐄂𐄂𐄂𐄂𐄂
File
Start line𐄂
End line𐄂𐄂𐄂𐄂𐄂𐄂𐄂𐄂
Start column𐄂𐄂𐄂𐄂𐄂
End column𐄂𐄂𐄂𐄂𐄂𐄂𐄂𐄂𐄂
External id (e.g. CVE)𐄂𐄂𐄂𐄂𐄂𐄂𐄂𐄂𐄂𐄂
URLs𐄂𐄂𐄂𐄂𐄂𐄂𐄂𐄂𐄂
Internal doc/explanation𐄂𐄂𐄂𐄂𐄂𐄂𐄂𐄂
Solution𐄂𐄂𐄂𐄂𐄂𐄂𐄂𐄂𐄂𐄂
Affected item (e.g. class or package)𐄂𐄂𐄂𐄂𐄂𐄂𐄂𐄂
Confidence𐄂𐄂𐄂𐄂𐄂𐄂
Source code extract𐄂𐄂𐄂𐄂𐄂𐄂𐄂𐄂
Internal ID𐄂𐄂
  • ✓ => we have that data
  • ⚠ => we have that data but it’s partially reliable, or we need to extract it from unstructured content
  • 𐄂 => we don’t have that data or it would need to develop specific or inefficient/unreliable logic to obtain it.

The values provided by these tools are heterogeneous so they are sometimes normalized into common values (e.g., severity, confidence, etc).