Auto SAST
This is about static analysis of security vulnerabilities, not scanning a running application, for example.
- Use open source libraries to scan code
-
bundler-audit
for Ruby projects: https://github.com/rubysec/bundler-audit -
brakeman
for Ruby on Rails projects: https://brakemanscanner.org -
Retire.js
for JavaScript projects: https://retirejs.github.io/retire.js -
bandit
for Python https://github.com/openstack/bandit
-
- Use CI to run scanner
- Make it part of Auto DevOps (like code quality and tests)
- Detect language/framework and run matching scan tool
Based on https://gitlab.com/gitlab-org/gitlab-ce/issues/32000#note_41469199.
Maybe duplicate of https://gitlab.com/gitlab-org/gitlab-ee/issues/2592
Followup to avoid to execute SAST checks in Code Quality because of codeclimate
plugins: https://gitlab.com/gitlab-org/gitlab-ee/issues/4011.
Edited by Fabio Busatto