Auto SAST

This is about static analysis of security vulnerabilities, not scanning a running application, for example.

Use open source libraries to scan code
- bundler-audit for Ruby projects: https://github.com/rubysec/bundler-audit
- brakeman for Ruby on Rails projects: https://brakemanscanner.org
- Retire.js for JavaScript projects: https://retirejs.github.io/retire.js
- bandit for Python https://github.com/openstack/bandit
Use CI to run scanner
Make it part of Auto DevOps (like code quality and tests)
Detect language/framework and run matching scan tool

Based on https://gitlab.com/gitlab-org/gitlab-ce/issues/32000#note_41469199.

Maybe duplicate of https://gitlab.com/gitlab-org/gitlab-ee/issues/2592

Followup to avoid to execute SAST checks in Code Quality because of codeclimate plugins: https://gitlab.com/gitlab-org/gitlab-ee/issues/4011.

Edited Nov 13, 2017 by Fabio Busatto