Skip to content
Snippets Groups Projects

Enable GitLab Advanced SAST (cross-file, cross-function scanning) for more languages

  • Enable GitLab Advanced SAST (cross-file, cross-function scanning) for more languages

    Open Epic created by Connor Gilbert

    Motivation

    GitLab Advanced SAST provides cross-file, cross-function scanning, including a more powerful engine and matching detection rules. Enabling these capabilities for additional languages will improve SAST detection accuracy for customers.

    Scope

    This effort only includes languages that GitLab SAST currently scans using Semgrep-based scanning.

    We are not currently:

    1. Expanding the set of languages that GitLab SAST supports, overall. That is, we are not adding new-new languages that aren't already supported by an official GitLab SAST analyzer.
    2. Migrating coverage from language-specific analyzers (SpotBugs, PMD-Apex, Sobelow) to Advanced SAST.

    For details on these scope exclusions, see SAST Direction: What is not planned right now.

    Language priority and status

    We will enable Advanced SAST for new languages in the following priority order. This table only includes languages that are not complete yet; see also completed languages.

    Language Expected release Notes
    PHP 17.11 (April 2025) Engine work expected to complete in 17.9. Rule development planned for 17.10 and 17.11.
    C/C++ During 2025 Technical design starting in 17.10. We plan to release iteratively over the course of 2025.
    Kotlin Pending
    Scala Pending
    iOS (Swift and Objective-C) Pending

    Table last updated 2025-02-06; last reviewed 2025-02-06

    Languages not covered are not planned; see SAST direction: language support.

    This priority order is based on the frequency with which these languages come up in customer engagements, and based on usage data where available. (See internal note for this data.)

    We can discuss changes to this order in comments.

    Completed languages

    See documentation for up-to-date support details.

    List last updated 2024-12-17

    Requirements for each language

    We need to deliver each language as an end-to-end capability, meaning:

    • The engine must support cross-file, cross-function scanning for that language.
    • The ruleset must include rules that leverage cross-file, cross-function taint analysis.
      • Note: This is not a limiting rule! We should still include appropriate rules that do not require taint analysis.
    Edited by Connor Gilbert

    Linked items 0

  • No linked items are currently open.

    Activity

    • All activity
    • Comments only
    • History only
    • Newest first
    • Oldest first