This is about static analysis of security vulnerabilities, not scanning a running application, for example.
- Use open source libraries to scan code
- Use CI to run scanner
- Make it part of Auto DevOps (like code quality and tests)
- Detect language/framework and run matching scan tool
Based on gitlab-ce#32000 (comment 41469199).
Maybe duplicate of #2592
Followup to avoid to execute SAST checks in Code Quality because of
codeclimate plugins: #4011.