Skip to content

Static Analysis Analyzer consolidation in 16.0

Deprecation Summary

GitLab SAST uses various analyzers to scan code for vulnerabilities.

We are reducing the number of analyzers used in GitLab SAST as part of our long-term strategy to deliver a better and more consistent user experience. Streamlining the set of analyzers will also enable faster iteration, better results, and greater efficiency (including a reduction in CI runner usage in most cases).

In GitLab %16.0, GitLab SAST will no longer use the following analyzers by default:

These analyzers will be removed from the GitLab-managed SAST CI/CD template and replaced with the Semgrep-based analyzer.

Because they are being deprecated in %15.9, they may no longer receive routine updates, except for security issues. We will not delete container images previously published for these analyzers; any such change would be announced as a deprecation, removal, or breaking change announcement.

In GitLab %16.0, we will also remove Scala from the scope of the SpotBugs analyzer and replace it with the Semgrep-based analyzer. This change will make it simpler to scan Scala code; compilation will no longer be required. This change will be reflected in the automatic language detection portion of the GitLab-managed SAST CI/CD template. Note that the SpotBugs-based analyzer will continue to cover Groovy and Kotlin.

Actions Required

You only need to take action if:

  1. You applied customizations to the SCS-based analyzer, such as setting a variable like SAST_EXCLUDED_ANALYZERS specifically on a job like security-code-scan-sast, and that customization still applies to Semgrep.
    • You should migrate any option that is still needed to the semgrep-sast job.
    • Note that the semgrep-sast job itself handles multiple languages. Some of your previous customizations, especially those related to build or compilation processes, may no longer be neccessary or may not apply to all languages covered by the Semgrep analyzer.
  2. You customized a built-in rule from one of the affected analyzers and still need the customization in Semgrep.
    • You should update the customization to refer to the rule's new identifier in this case.
  3. You have explicitly disabled the Semgrep-based analyzer.
    • You should re-enable the Semgrep-based analyzer in this case.
  4. You use the GitLab-managed CI/CD template and your pipeline configuration explicitly depends on a job name like security-code-scan-sast.
    • You should change your pipeline to refer to semgrep-sast or otherwise update it, depending on your use case.

Affected Topology

All deployment types (~SaaS and self-managed) are affected.

Affected Tier

All tiers (GitLab Free, GitLab Premium, GitLab Ultimate) are affected.

Checklist

Deprecation Milestone

%15.9

Planned Removal Milestone

%16.0

Links

Deprecation Announcement:

  • Documentation:
  • MR:

Documentation topic:

Proposal

Proposed scope: all analyzers that have Semgrep-based scanning coverage in GitLab SAST by 15.9 (or are very likely to land in 15.10) are removed from the CI/CD template and moved to End of Support status in 16.0. Epic for conversions: Semgrep-based analysis in GitLab SAST (&5245 - closed)

  • Update CI/CD template to remove SCS coverage
  • Update CI/CD template to remove Scala coverage from SpotBugs
    • Fully removing the analyzer seems a bit steeper... with low-ish Kotlin and Groovy workloads, I think getting Java and Scala off of SpotBugs is the biggest benefit. Keeping the analyzer alive for Kotlin and Groovy also simplifies the "backup option" if Semgrep-based scanning doesn't work for whatever reason.
  • Mark phpcs-security-audit as End of Support and update CI/CD template to replace its job with a stub (same as eslint/gosec/bandit)

Note: Removal of phpcs-security-audit has been removed as PHP support has not been added to our Semgrep-based analyzer.

Implementation Plan

Edited by Connor Gilbert