Static Application Security Testing (SAST) [ULTIMATE]
Introduced in GitLab Ultimate 10.3.
NOTE: 4 of the top 6 attacks were application based. Download our whitepaper, "A Seismic Shift in Application Security" to learn how to protect your organization.
Overview
If you are using GitLab CI/CD, you can analyze your source code for known vulnerabilities using Static Application Security Testing (SAST).
You can take advantage of SAST by either including the CI job in
your existing .gitlab-ci.yml file or by implicitly using
Auto SAST
that is provided by Auto DevOps.
Going a step further, GitLab can show the vulnerability list right in the merge request widget area.
Use cases
- Your code has a potentially dangerous attribute in a class, or unsafe code that can lead to unintended code execution.
- Your application is vulnerable to cross-site scripting (XSS) attacks that can be leveraged to unauthorized access to session data
Supported languages and frameworks
The following languages and frameworks are supported.
| Language / framework | Scan tool |
|---|---|
| .NET | Security Code Scan |
| C/C++ | Flawfinder |
| Go | Gosec |
| Groovy (Ant, Gradle, Maven and SBT) | find-sec-bugs |
| Java (Ant, Gradle, Maven and SBT) | find-sec-bugs |
| JavaScript | ESLint security plugin |
| Node.js | NodeJsScan |
| PHP | phpcs-security-audit |
| Python | bandit |
| Ruby on Rails | brakeman |
| Scala (Ant, Gradle, Maven and SBT) | find-sec-bugs |
| Typescript | TSLint Config Security |
Secret Detection
GitLab is also able to detect secrets and credentials that have been unintentionally pushed to the repository. For example, an API key that allows write access to third-party deployment environments.
This check is performed by a specific analyzer during the sast job. It runs regardless of the programming
language of your app, and you don't need to change anything to your
CI/CD configuration file to turn it on. Results are available in the SAST report.
GitLab currently includes Gitleaks and TruffleHog checks.
How it works
First of all, you need to define a job in your .gitlab-ci.yml file that generates the
SAST report artifact.
For more information on how the SAST job should look like, check the
example on Static Application Security Testing with GitLab CI/CD.
GitLab then checks this report, compares the found vulnerabilities between the source and target branches, and shows the information right on the merge request.
Security report under pipelines
Introduced in GitLab Ultimate 10.6.
Visit any pipeline page which has a sast job and you will be able to see
the security report tab with the listed vulnerabilities (if any).
