Enable GitLab Advanced SAST (cross-file, cross-function scanning) for more languages
Enable GitLab Advanced SAST (cross-file, cross-function scanning) for more languages
Motivation
GitLab Advanced SAST provides cross-file, cross-function scanning, including a more powerful engine and matching detection rules. Enabling these capabilities for additional languages will improve SAST detection accuracy for customers.
Scope
This effort only includes languages that GitLab SAST currently scans using Semgrep-based scanning.
We are not currently:
- Expanding the set of languages that GitLab SAST supports, overall. That is, we are not adding new-new languages that aren't already supported by an official GitLab SAST analyzer.
- Migrating coverage from language-specific analyzers (SpotBugs, PMD-Apex, Sobelow) to Advanced SAST.
For details on these scope exclusions, see SAST Direction: What is not planned right now.
Language priority and status
We will enable Advanced SAST for new languages in the following priority order. This table only includes languages that are not complete yet; see also completed languages.
Language | Expected release | Notes |
---|---|---|
PHP | 17.11 (April 2025) | Engine work expected to complete in 17.9. Rule development planned for 17.10 and 17.11. |
C/C++ | During 2025 | Technical design starting in 17.10. We plan to release iteratively over the course of 2025. |
Kotlin | Pending | |
Scala | Pending | |
iOS (Swift and Objective-C) | Pending |
Table last updated 2025-02-06; last reviewed 2025-02-06
Languages not covered are not planned; see SAST direction: language support.
This priority order is based on the frequency with which these languages come up in customer engagements, and based on usage data where available. (See internal note for this data.)
We can discuss changes to this order in comments.
Completed languages
See documentation for up-to-date support details.
- Python: Shipped in %17.1. https://gitlab.com/groups/gitlab-org/-/epics/13282+s (internal epic)
- Java: Shipped in %17.2. https://gitlab.com/groups/gitlab-org/-/epics/13284+s (internal epic)
- Java Server Pages: Shipped. https://gitlab.com/gitlab-org/gitlab/-/issues/478414 (internal issue)
- Go: Shipped in %17.2. https://gitlab.com/groups/gitlab-org/-/epics/13284+s (internal epic)
- JavaScript: Shipped in %17.3. https://gitlab.com/groups/gitlab-org/-/epics/13286+s (internal epic)
- TypeScript: Shipped in %17.3. Advanced SAST support for TypeScript (&14272 - closed) • Unassigned
- C#: Shipped in %17.3. Advanced SAST support for C# (&14269 - closed) • Unassigned
- Ruby: Shipped in %17.5. Advanced SAST support for Ruby (&14425 - closed) • Unassigned
List last updated 2024-12-17
Requirements for each language
We need to deliver each language as an end-to-end capability, meaning:
- The engine must support cross-file, cross-function scanning for that language.
- The ruleset must include rules that leverage cross-file, cross-function taint analysis.
- Note: This is not a limiting rule! We should still include appropriate rules that do not require taint analysis.
- Show closed items