SAST for Java Android support (via spotbugs)
Problem to solve
SAST analysis should be fully automatized within GITLAB SAST CI module so that the default SAST Docker Image is able to detect that an Android Gradle App needs the Android SDK to compile.
Intended users
Delaney, Sasha, Devon, Sam and Cameron
Further details
You can start a SAST job in a CI chain just adding a few lines using the default SAST tool image included in the gitlab yaml sast definition. No need to spend time creating your own image starting from Gitlab SAST image and extending with the Android SDK (sdk tool, env vars, config and much more). You don't have to extend the gradle descriptors of your android app to support SAST tools like SpotBugs to achieve similar result that the Gitlab SAST solution can offer.
Proposal
Devon can straighforward implement a SAST task using the SAST integrated Gitlab image that supports Java Gradle Android apps like the one developed by Sasha. In this way Sasha can ckeck SAST issues directly on its Merge Requests so to produce more fixes and a secure and robust code. Delaney can be more confident that his team has the benefit of the security advisor produced by Gitlab SAST tool: he doesn't need to extend Gradle Plugins inside the Android App like SpotBugs and others and he's confident about the choices that Gitlab made in its own SAST containers. Sam can rely on Gitlab SAST container, having more time to invest in other security issues and not SAST ones. Cameron is confident that the compliance of its SDLC is well maintained and conform to other security tasks that use Gitlab Security platform tools.