## Executive Summary SAST (Static Application Security Testing) is a foundational security scan that analyzes source code for vulnerabilities, but its current enablement experience requires manual CI/CD configuration. Security managers need a streamlined way to enable SAST across multiple projects without requiring developers to modify `.gitlab-ci.yml` files. This epic delivers the **SAST implementation** of the basic scan configuration profiles framework, following the patterns established by Secret Push Protection and Secret Detection pipeline scanning profiles. # :chart_with_upwards_trend: Target Metrics 1. **Overall Target: 70% of Ultimate tier active projects adopting 2+ security scanners** ([Tableau](https://10az.online.tableau.com/#/site/gitlab/views/High-LevelSecurityMetricCharts/ofGitLab_comUltimateProjectswith2SecurityScannersRunning?:iid=1)) 1. Incremental target: Increase usage (% of active Ultimate projects with SAST scanning enabled to X% within 3 months following release) (TBD) # Dependencies - Team dependencies: - Security Inventory - Policy engine for CI injection - Epic/Issue dependencies - _Link to dependent epics/issues via the linked items widget below for ease of drill down_ - External dependencies: - - ~"group::static analysis" - DRI for Q1 supporting in guidance, defining default configurations, planning for custom configurations, aligning on architectural schema # Engineering Assessment See [Scan Profiles Vision](https://docs.google.com/presentation/d/1dR2z-809QPPx1bkVks5F2MY5gRb-YhOeESKUONW4wVU/edit?slide=id.g2df33939f65_0_1787#slide=id.g2df33939f65_0_1787), which includes full project delivery plan and dependencies. # DRIs - **PM**: @m-omokoh - **EM**: @or.gal - **UX/PDM**: @mfangman - **Group(s)**: ~"group::security platform management" - **Engineering Owner**: @rvider # Initiative Driver - Product or Engineering? - [X] **Product-driven initiatives (P1/P2/P3)** - Customer-facing features or improvements driven by Product teams that require engineering resources and commitment - These initiatives require a Product Priority label (P1/P2/P3) - They may also receive GTM tier labels (T1/T2/T3) for external communication - [ ] **Engineering-driven initiatives (E1/E2/E3)** - Internal technical improvements that may not have customer-facing components - These initiatives require an Engineering Priority label (E1/E2/E3) - They have internal visibility only and are not externally communicated - Examples include: technical debt reduction, infrastructure improvements, refactoring, dependency upgrades # Acceptance Criteria 1. Security managers can enable SAST for multiple projects simultaneously through the Security Inventory interface 2. Projects receive SAST scanning without developers needing to modify `.gitlab-ci.yml` files 3. Development teams can disable SAST at the project level if they experience negative impacts 4. SAST automatically detects supported languages and runs appropriate analyzers 5. Uses identical interaction patterns as other scan profiles # Intended users - [Amy, Application Security Engineer](/handbook/product/personas/#amy-application-security-engineer) - Primary - [Alex, Security Operations Engineer](/handbook/product/personas/#alex-security-operations-engineer) - Secondary - [Sasha, Software Developer](/handbook/product/personas/#sasha-software-developer) - Affected # Proposal ## Profile Structure - **Profile Name**: "SAST - Default" - **Configuration**: Uses latest SAST template with default analyzer configurations - **Versioning**: Tied to `latest` analyzer versions - **Enablement**: Backend security policy injects SAST template into project pipelines - **Trigger Strategy**: One-time scan on default branch, then automatic on MR pipelines ## Key Features 1. Auto-detection of project languages and appropriate analyzers 2. Advanced SAST automatically enabled for Ultimate tier on supported languages 3. Group-level management via Security Configuration and Inventory 4. Project-level control for developers to remove if needed 5. Additive behavior - won't conflict with existing SAST configurations