Static Application Security Testing (SAST)

Introduced in GitLab Ultimate 10.3.

Overview

If you are using GitLab CI/CD, you can analyze your source code for known vulnerabilities using Static Application Security Testing (SAST), either by including the CI job in your existing .gitlab-ci.yml file or by implicitly using Auto SAST that is provided by Auto DevOps.

Going a step further, GitLab can show the vulnerability list right in the merge request widget area.

Use cases

  • Your application is using an external (open source) library, locked to a specific version (e.g., via Gemfile.lock) and the version is known to be vulnerable.
  • Your code has a potentially dangerous attribute in a class, or unsafe code that can lead to unintended code execution.

Supported languages and frameworks

The following languages and frameworks are supported.

Language (package managers) / framework Scan tool
JavaScript (npm, yarn) gemnasium, Retire.js
Python (pip) gemnasium, bandit
Ruby (gem) gemnasium, bundler-audit
Ruby on Rails brakeman
Java (Maven) gemnasium, find-sec-bugs
PHP (Composer) gemnasium

Some security scanners require to send a list of project dependencies to GitLab central servers to check for vulnerabilities. To learn more about this or to disable it please check GitLab SAST documentation.

How it works

First of all, you need to define a job named sast in your .gitlab-ci.yml file. Check how the sast job should look like.

In order for the report to show in the merge request, there are two prerequisites:

  • the specified job must be named sast
  • the resulting report must be named gl-sast-report.json and uploaded as an artifact

The sast job will perform an analysis on the running web application, the resulting JSON file will be uploaded as an artifact, and GitLab will then check this file and show the information inside the merge request.

SAST Widget

Security report under pipelines

Introduced in GitLab Ultimate 10.6.

Visit any pipeline page which has a sast job and you will be able to see the security report tab with the listed vulnerabilities (if any).

Security Report