Feedback issue for SAST analyzer C/C++ support

This issue tracks initial evaluation of GitLab's SAST analysis capabilities for C and C++.

Overview

GitLab currently supports an experimental integration of the Clang Static Analyzer.

The GitLab clangsa analyzer wraps Clang static analyzer via the recommended command line tool, CodeChecker.

The GitLab managed analyzers/clangsa project provides the following:

• FIPS validated Docker images tested in GitLab.com runners.
• Vulnerability filtering via SAST_EXCLUDED_PATHS and SEARCH_MAX_DEPTH.
• GitLab ruleset customization.
• Tooling and documentation to assist with the use of compilation databases.
• Conversion of the CoderChecker output to gl-sast-report.json format including CWE mappings and vulnerability tracking data.

Quickstart

1. Requirements:

   1. The analyzer job requires a compilation database (CDB) in the root of the repository.
   2. For the best results, source dependencies (i.e. header files and/or C++20 module interface units or BMIs) should be made available to the analyzer prior to scan. For example, untracked header files that are generated or installed from a developer package should be copied to the analyzer job as artifacts.
   3. Be aware that the analyzer uses the clang compile frontend, so other compiler extensions may require additional configuration and may not parse correctly.

2. Adding a scan job to your project:

   1. The easiest way is to use the add-clangsa branch of the SAST component. E.g. add the following to your .gitlab-ci.yml pipeline config:

      include:
        - component: gitlab.com/components/sast/sast@add-clangsa

   2. The job can also be added directly

      clangsa-sast:
        stage: test
        image:
          name: "$CI_TEMPLATE_REGISTRY_HOST/gitlab-org/security-products/analyzers/clangsa:0"
        allow_failure: true
        variables:
          SEARCH_MAX_DEPTH: '4'
          SAST_EXCLUDED_PATHS: spec, test, tests, tmp
        script:
          - /analyzer run
        artifacts:
          access: developer
          reports:
            sast:
              - gl-sast-report.json

Where to go for help

• See the example projects for different configuration options.
• Leave a comment with your questions, and we'll do our best to respond within 2 business days. Depending on the volume of questions, we may not be able to address them all in a timely manner. It's appreciated if you include enough context, and what you've already tried, in order to reduce cycles.

Known limitations

1. The CWE mappings are in draft. See C/C++ Support | Review Clang's checker mappings (&17682 - closed) • Bhavya Kaushal • 18.5 • On track.

FAQ

1. Is this production-ready?

   No. This is an Experiment with all the caveats that come in this stage of development, including not being ready for production use.

2. When is the generally-available release going to be available?

   It's currently planned for FY26-Q4 (%18.8). You can follow the parent epic to see the progress into Beta and GA stages.

3. The scan results didn't include a finding that I expected. Can you address it?

   In the Experiment phase our main goal is to establish the integration of the analyzer with the pipeline of C/C++ projects. While we're interested in feedback related to results, our priority in this phase is to ensure that most users can run the analyzer successfully, and incorporate improvements that make initial setup easier.

4. Are you planning to use analyzers other than Clang?

   Yes. This analyzer was chosen as the initial integration, and we intend to add others during the Beta stage of development, including more tools and features developed by GitLab.