Verify Customer specific language and repository combinations & tested SAST private repos
Purpose
Per this: #11137 (comment 263827678)
And Before this: #119446 (closed)
We should do a one off test of all SAST scanners with private repos (chosen by us) and speak to customers interested in the original issue to find out their specific combinations and test those in addition.
TEST
https://docs.gitlab.com/ee/user/application_security/sast/#supported-languages-and-frameworks
Language (package managers) / framework Scan tool
-
.NET Security Code Scan 11.0 -
Any Gitleaks and TruffleHog 11.9 -
Apex (Salesforce) pmd 12.1 -
C/C++ Flawfinder 10.7 -
Elixir (Phoenix) Sobelow 11.10 -
Go Gosec 10.7 -
Groovy (Ant, Gradle, Maven and SBT) SpotBugs with the find-sec-bugs plugin 11.3 (Gradle) & 11.9 (Ant, Maven, SBT) -
Java (Ant, Gradle, Maven and SBT) SpotBugs with the find-sec-bugs plugin 10.6 (Maven), 10.8 (Gradle) & 11.9 (Ant, SBT) -
JavaScript ESLint security plugin 11.8 -
Kubernetes manifests Kubesec 12.6 -
Node.js NodeJsScan 11.1 -
PHP phpcs-security-audit 10.8 -
Python (pip) bandit 10.3 -
React ESLint react plugin 12.5 -
Ruby on Rails brakeman 10.3 -
Scala (Ant, Gradle, Maven and SBT) SpotBugs with the find-sec-bugs plugin 11.0 (SBT) & 11.9 (Ant, Gradle, Maven) -
TypeScript TSLint config security 11.9
Customers
Edited by Nicole Schwartz