SAST Scanning in VS Code
Purpose of this issue is to identify editor extension specific work required to bring SAST scanning into the IDEs, starting with VS Code. Based on the requirements, we will either promote this issue to an epic or create an epic to cover the integration.
Problem to Solve
Our customers want to provide their engineers with a way to fix vulnerabilities before committing code. Today, late discovery leads to increased costs and time spent on remediating security issues that could have been addressed earlier in the dev cycle. At GitLab, we already have comprehensive SAST scanning in the pipeline. Our goal is to integrate SAST directly into the IDE via our editor extensions, enabling developers to identify and address security concerns before committing their code.
Context
Category:SAST in GitLab.org / editor-extensions / GitLab Language Server / groupstatic analysis team has been working on bringing SAST scanning to the IDEs. Please have a look at the following for full context.
- Epic describing the problem (starting with scanning on file save).
- Spike to run API-based scanning
Where We Come In
- Interface and user interaction. Editor extensions will serve as the primary interface for SAST features within the IDE. They will handle the interaction with the language server to trigger scans, display results, and offer actionable insights directly in the editor.
- Configuration and customization. Developers should be able to configure scanning according to their specific needs. This will be minimal for the MVC, where users can disable scanning in the IDE.
User Workflow in the IDE
TBD
Implementation Details
TBD