Semgrep-based analysis in GitLab SAST
Context
GitLab SAST historically has been powered by over a dozen open-source static analysis security analyzers. These analyzers have proactively identified millions of vulnerabilities for GitLab users, but each of these analyzers is language-specific and uses a different scanning approach.
We are currently streamlining the set of SAST analyzers to provide:
- A simpler operational experience, for example, by not requiring compilation or complicated build configuration steps.
- Faster performance.
- Better rule customization, since rules can be defined in configuration files instead of code.
- A more consistent user experience across languages.
Semgrep-based scanning
Adding Semgrep-based scanning is a key part of this effort, though we are also working on other efforts in this area.
The GitLab Static Analysis and Vulnerability Research teams have worked together to transition coverage from a number of existing open-source analyzers to Semgrep-based scanning. We plan to continue to migrate existing scanner coverage to Semgrep-based scanning, as described in this epic.
Semgrep-based scanning in GitLab SAST includes:
- The Semgrep scanning engine, maintained by r2c. GitLab and r2c have partnered on areas of mutual interest.
- Detection rules that are created, maintained, and supported by GitLab.
- GitLab Ultimate features like Advanced Vulnerability Tracking.
- Integration with GitLab Vulnerability Management.
Functional requirements
- Semgrep analyzer(s) enabled by existing SAST vendored template.
- Semgrep analyzer(s) run at same license tier as other SAST analyzers.
- Match existing support for custom rulesets.
- Ability to run new semgrep analyzer(s) alongside existing SAST analyzers.
- Ability to deduplicate multiple SAST analyzers finding the same vulnerability.
- Example: if
bandit
andsemgrep
analyzer find the same CWE finding, only show one finding in the MR widget and create one vulnerability if merged.
- Example: if
Comparison Criteria
- rule type coverage (total number of rules to be checked, comparison of classification capabilities)
- field mappings - severity, location, field descriptions
- gl feature support - ultimate licensing, custom rulesets, directory/path exclusions, build/compilation requirements,
SEARCH_MAX_DEPTH
- benchmarking - scan walltime, memory usage, cpu usage
- logging
- unifying analyzers or keeping separate (analyzer w/ both python and javascript rules?)
- offline requirements
- OSS licensing
Language priorities
These languages are high priority to resolve customer issues with existing analyzers:
- Scala (gitlab#362958 (closed))
- NodeJS (gitlab#395487 (closed)), which also has the benefit of aligning NodeJS with general JavaScript scanning
These languages have specific recorded customer interest due to capabilities in Semgrep-based analyzer (like rule customization):
These languages are targeted for conversion to streamline ongoing maintenance effort:
- Technical Discovery: replace mobsf with semgrep... (gitlab#329712 - closed)
- Kotlin, for simplicity and because of issues with SpotBugs (e.g. gitlab#350801 (closed)). Note that Kotlin is a Beta-maturity language in Semgrep as of 2023-04-04.
We've completed a number of previous conversions:
- Show closed items
- View on a roadmap
- Issuegitlab-org/gitlab#327640Category:DAST UX backend devops application security testing frontend group dynamic analysis section sec workflow planning breakdown
- Issuegitlab-org/gitlab#32509613.102Category:DAST UX devops application security testing frontend group dynamic analysis section sec workflow production
- Issuegitlab-org/gitlab#32438713.112Category:DAST backend devops application security testing frontend group dynamic analysis section sec workflow production
- Issuegitlab-org/gitlab#32416313.102Category:DAST Stretch devops application security testing frontend group dynamic analysis section sec workflow production
- Issuegitlab-org/gitlab#32338113.101Category:DAST Technical Writing UX devops application security testing documentation frontend group dynamic analysis section sec workflow production
- Issuegitlab-org/gitlab#32344913.102Category:DAST UX devops application security testing frontend group dynamic analysis section sec workflow production
- Issuegitlab-org/gitlab#32332313.111Category:DAST devops application security testing frontend group dynamic analysis section sec workflow production
- Issuegitlab-org/gitlab#28052813.9Category:DAST backend devops application security testing frontend group dynamic analysis section sec workflow planning breakdown
- Issuegitlab-org/gitlab#22540613.115Category:DAST Deliverable backend devops application security testing direction group dynamic analysis section sec type feature
- Issuegitlab-org/gitlab#27735313.112Category:DAST Deliverable GitLab Ultimate backend devops application security testing direction group dynamic analysis section sec type feature workflow in review
- Issuegitlab-org/gitlab#27153713.102Category:DAST Deliverable devops application security testing direction frontend group dynamic analysis missed-deliverable missed:13.6 section sec type feature workflow production
- Issuegitlab-org/gitlab#29289713.121Category:DAST devops application security testing feature flag frontend group dynamic analysis section sec workflow production
- Issuegitlab-org/gitlab#22537813.73Category:DAST Deliverable devops application security testing direction frontend group dynamic analysis missed-deliverable missed:13.6 section sec type feature workflow production
- Issuegitlab-org/gitlab#27122613.72Category:DAST Deliverable devops application security testing direction frontend group dynamic analysis missed-deliverable section sec type feature workflow production
- Issuegitlab-org/gitlab#27123013.111Category:DAST Technical Writing devops application security testing direction docs improvement documentation group dynamic analysis missed-deliverable missed:13.6 section sec type feature workflow production
- Epic#5088510Apr 18 – May 17, 2021Category:DAST backend devops application security testing frontend group dynamic analysis section sec secure:refinement-backend workflow refinement
- Show labels
- Show closed items