## Motivation [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) provides cross-file, cross-function scanning, including a more powerful engine and matching detection rules. Enabling these capabilities for additional languages will improve SAST detection accuracy for customers. ### Scope This effort only includes languages that GitLab SAST currently scans using Semgrep-based scanning. We are **not** currently: 1. Expanding the set of languages that GitLab SAST supports, overall. That is, we are not adding new-new languages that aren't [already supported by an official GitLab SAST analyzer](https://docs.gitlab.com/ee/user/application_security/sast/#supported-languages-and-frameworks). 1. Migrating coverage from language-specific analyzers (SpotBugs, PMD-Apex, Sobelow) to Advanced SAST. For details on these scope exclusions, see [SAST Direction: What is not planned right now](https://about.gitlab.com/direction/application_security_testing/static-analysis/sast/#what-is-not-planned-right-now). ## Language priority and status We will enable Advanced SAST for new languages in the following priority order. This table only includes languages that are _not complete yet_; see also [completed languages](#completed-languages). | Language | Expected release | Notes | |-----------------------------------------------------------------------------------|--------------------|-------| | [C/C++](https://gitlab.com/groups/gitlab-org/-/epics/14271) | During 2025 | In progress, with expected releases during 2025. | | [Kotlin](https://gitlab.com/groups/gitlab-org/-/epics/15173) | Pending | | | [Scala](https://gitlab.com/groups/gitlab-org/-/epics/15174) | Pending | | | [iOS (Swift and Objective-C)](https://gitlab.com/groups/gitlab-org/-/epics/16318) | Pending | | ^{<em>Table last updated 2025-06-11; last reviewed 2025-06-11</em>} _Languages not covered are not planned; see [SAST direction: language support](https://about.gitlab.com/direction/application_security_testing/static-analysis/sast/#language-support)._ This priority order is based on the frequency with which these languages come up in customer engagements, and based on usage data where available. (See [internal note](https://gitlab.com/groups/gitlab-org/-/epics/14312#note_1969720471) for this data.) We can discuss changes to this order in comments. ### Completed languages See [documentation](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html#supported-languages) for up-to-date support details. - Python: Shipped in %17.1. https://gitlab.com/groups/gitlab-org/-/epics/13282+s (internal epic) - Java: Shipped in %17.2. https://gitlab.com/groups/gitlab-org/-/epics/13284+s (internal epic) - Java Server Pages: Shipped. https://gitlab.com/gitlab-org/gitlab/-/issues/478414 (internal issue) - Go: Shipped in %17.2. https://gitlab.com/groups/gitlab-org/-/epics/13284+s (internal epic) - JavaScript: Shipped in %17.3. https://gitlab.com/groups/gitlab-org/-/epics/13286+s (internal epic) - TypeScript: Shipped in %17.3. https://gitlab.com/groups/gitlab-org/-/epics/14272+s - C#: Shipped in %17.3. https://gitlab.com/groups/gitlab-org/-/epics/14269+s - Ruby: Shipped in %17.5. https://gitlab.com/groups/gitlab-org/-/epics/14425+s - PHP: Shipped in %18.1. https://gitlab.com/groups/gitlab-org/-/epics/14273+s ^{<em>List last updated 2025-06-11</em>} ## Requirements for each language We need to deliver each language as an end-to-end capability, meaning: - The engine must support cross-file, cross-function scanning for that language. - The ruleset must include rules that leverage cross-file, cross-function taint analysis. - Note: This is not a limiting rule! We should still include appropriate rules that do not require taint analysis.