SAST analyzers

Moved from GitLab Ultimate to GitLab Free in 13.3.

Static Application Security Testing (SAST) uses analyzers to detect vulnerabilities in source code. Each analyzer is a wrapper around a scanner, a third-party code analysis tool.

The analyzers are published as Docker images that SAST uses to launch dedicated containers for each analysis.

SAST default images are maintained by GitLab, but you can also integrate your own custom image.

For each scanner, an analyzer:

  • Exposes its detection logic.
  • Handles its execution.
  • Converts its output to a standard format.

SAST analyzers

SAST supports the following official analyzers:

SAST analyzer features

For an analyzer to be considered Generally Available, it is expected to minimally support the following features:

Post analyzers

Post analyzers enrich the report output by an analyzer. A post analyzer doesn’t modify report content directly. Instead, it enhances the results with additional properties, including:

  • CWEs.
  • Location tracking fields.
  • A means of identifying false positives or insignificant findings.

Data provided by analyzers

Each analyzer provides data about the vulnerabilities it detects. The following table details the data available from each analyzer. The values provided by these tools are heterogeneous so they are sometimes normalized into common values, for example, severity and confidence.

Property / tool Apex Bandit Brakeman ESLint security SpotBugs Flawfinder Gosec Kubesec Scanner MobSF NodeJsScan PHP CS Security Audit Security code Scan (.NET) Semgrep Sobelow
Affected item (for example, class or package)
Confidence x
Description
End column
End line
External ID (for example, CVE)
File
Internal doc/explanation
Internal ID
Severity
Solution
Source code extract
Start column
Start line
Title
URLs
  • ✓ => Data is available.
  • ⚠ => Data is available, but it’s partially reliable, or it has to be extracted from unstructured content.
  • ✗ => Data is not available or it would require specific, inefficient or unreliable, logic to obtain it.

Customize analyzers

Use CI/CD variables in your .gitlab-ci.yml file to customize the behavior of your analyzers.

Use a custom Docker mirror

You can use a custom Docker registry, instead of the GitLab registry, to host the analyzers’ images.

Prerequisites:

  • The custom Docker registry must provide images for all the official analyzers.
note
This variable affects all Secure analyzers, not just the analyzers for SAST.

To have GitLab download the analyzers’ images from a custom Docker registry, define the prefix with the SECURE_ANALYZERS_PREFIX CI/CD variable.

For example, the following instructs SAST to pull my-docker-registry/gitlab-images/bandit instead of registry.gitlab.com/security-products/bandit:

include:
  - template: Security/SAST.gitlab-ci.yml

variables:
  SECURE_ANALYZERS_PREFIX: my-docker-registry/gitlab-images

Disable all default analyzers

You can disable all default SAST analyzers, leaving only custom analyzers enabled.

To disable all default analyzers, set the CI/CD variable SAST_DISABLED to true in your .gitlab-ci.yml file.

Example:

include:
  - template: Security/SAST.gitlab-ci.yml

variables:
  SAST_DISABLED: true

Disable specific default analyzers

Analyzers are run automatically according to the source code languages detected. However, you can disable select analyzers.

To disable select analyzers, set the CI/CD variable SAST_EXCLUDED_ANALYZERS to a comma-delimited string listing the analyzers that you want to prevent running.

For example, to disable the eslint analyzer:

include:
  - template: Security/SAST.gitlab-ci.yml

variables:
  SAST_EXCLUDED_ANALYZERS: "eslint"

Custom analyzers

You can provide your own analyzers by defining jobs in your CI/CD configuration. For consistency with the default analyzers, you should add the suffix -sast to your custom SAST jobs.

For more details on integrating a custom security scanner into GitLab, see Security Scanner Integration.

Example custom analyzer

This example shows how to add a scanning job that’s based on the Docker image my-docker-registry/analyzers/csharp. It runs the script /analyzer run and outputs a SAST report gl-sast-report.json.

Define the following in your .gitlab-ci.yml file:

csharp-sast:
  image:
    name: "my-docker-registry/analyzers/csharp"
  script:
    - /analyzer run
  artifacts:
    reports:
      sast: gl-sast-report.json