Deprecation issue: SAST analyzer consolidation in 17.0
Deprecation Summary
Note: This issue is required to have a summary of the deprecation. But the official, up-to-date deprecation notice is published in GitLab documentation.
We're reducing the number of supported analyzers used by default in GitLab SAST. This is part of our long-term strategy to deliver a faster, more consistent user experience across different programming languages.
In GitLab 17.0, we will:
- Remove a set of language-specific analyzers from the SAST CI/CD template and replace their coverage with GitLab-supported detection rules in the Semgrep-based analyzer. The following analyzers are now deprecated and will reach End of Support in GitLab 17.0:
- Brakeman (Ruby, Ruby on Rails)
- Flawfinder (C, C++)
- MobSF (Android, iOS)
- NodeJS Scan (Node.js)
- PHPCS Security Audit (PHP)
- Change the SAST CI/CD template to stop running the SpotBugs-based analyzer for Kotlin and Scala code. These languages will instead be scanned using GitLab-supported detection rules in the Semgrep-based analyzer.
Effective immediately, the deprecated analyzers will receive only security updates; other routine improvements or updates are not guaranteed. After the analyzers reach End of Support in GitLab 17.0, no further updates will be provided. However, we won't delete container images previously published for these analyzers or remove the ability to run them by using custom CI/CD pipeline job definitions.
The vulnerability management system will update most existing findings so that they're matched with the new detection rules. Findings that aren't migrated to the new analyzer will be automatically resolved. See Vulnerability translation documentation for further details.
If you applied customizations to the removed analyzers, or if you currently disable the Semgrep-based analyzer in your pipelines, you must take action as detailed in the deprecation issue for this change.
Action required
You only need to take action if:
- You applied customizations to deprecated analyzer, such as setting a variable like
SAST_EXCLUDED_ANALYZERS
specifically on a job likeflawfinder-sast
, and that customization still applies to Semgrep-based scanning.- You should migrate any option that is still needed to the
semgrep-sast
job. - Note that the
semgrep-sast
job itself handles multiple languages. Some of your previous customizations, especially those related to build or compilation processes, may no longer be neccessary or may not apply to all languages covered by the Semgrep analyzer.
- You should migrate any option that is still needed to the
- You customized a built-in rule from one of the affected analyzers and still need the customization in Semgrep.
- You should update the customization to refer to the rule's new identifier in this case.
- You have explicitly disabled the Semgrep-based analyzer.
- You should re-enable the Semgrep-based analyzer in this case.
- You use the GitLab-managed CI/CD template and your pipeline configuration explicitly depends on a job name like
nodejs-scan-sast
.- You should change your pipeline to refer to
semgrep-sast
or otherwise update it, depending on your use case.
- You should change your pipeline to refer to
Affected Topology
All
Affected Tier
All
Checklists
Labels
-
This issue is labeled deprecation, and with the relevant ~devops::
,~group::
, and~Category:
labels. -
This issue is labeled breaking change if the removal of the deprecated item will be a breaking change.
Timeline
Please add links to the relevant merge requests.
- As soon as possible, but no later than the third milestone preceding the major release (for example, given the following release schedule:
14.8, 14.9, 14.10, 15.0
–14.8
is the third milestone preceding the major release):-
A deprecation announcement entry has been created so the deprecation will appear in release posts and on the general deprecation page. -
Documentation has been updated to mark the feature as deprecated.
-
-
On or before the major milestone: A removal entry has been created so the removal will appear on the removals by milestones page and be announced in the release post. - On the major milestone:
-
The deprecated item has been removed. -
If the removal of the deprecated item is a breaking change, the merge request is labeled breaking change.
-
Mentions
-
Your stage's stable counterparts have been @mentioned
on this issue. For example, Customer Support, Customer Success (Technical Account Manager), Product Marketing Manager.- To see who the stable counterparts are for a product team visit product categories
- If there is no stable counterpart listed for Sales/CS please mention
@timtams
- If there is no stable counterpart listed for Support please mention
@gitlab-com/support/managers
- If there is no stable counterpart listed for Marketing please mention
@cfoster3
- If there is no stable counterpart listed for Sales/CS please mention
- To see who the stable counterparts are for a product team visit product categories
-
Your GPM has been @mentioned
so that they are aware of planned deprecations. The goal is to have reviews happen at least two releases before the final removal of the feature or introduction of a breaking change.
Deprecation Milestone
TBD
Planned Removal Milestone
- %17.0 for the Stable template.
- Earlier releases for the Latest template.