Static Application Security Testing (SAST)
If you are using GitLab CI/CD, you can analyze your source code for known
vulnerabilities using Static Application Security Testing (SAST), either by
including the CI job in your existing
.gitlab-ci.yml file or
by implicitly using Auto SAST
that is provided by Auto DevOps.
Going a step further, GitLab can show the vulnerability list right in the merge request widget area.
- Your application is using an external (open source) library, locked to a
specific version (e.g., via
Gemfile.lock) and the version is known to be vulnerable.
- Your code has a potentially dangerous attribute in a class, or unsafe code that can lead to unintended code execution.
Supported languages and frameworks
The following languages and frameworks are supported.
|Language (package managers) / framework||Scan tool|
|Python (pip)||gemnasium, bandit|
|Ruby (gem)||gemnasium, bundler-audit|
|Ruby on Rails||brakeman|
|Java (Maven)||gemnasium, find-sec-bugs|
Some security scanners require to send a list of project dependencies to GitLab central servers to check for vulnerabilities. To learn more about this or to disable it please check GitLab SAST documentation.
How it works
First of all, you need to define a job named
sast in your
file. Check how the
sast job should look like.
In order for the report to show in the merge request, there are two prerequisites:
- the specified job must be named
- the resulting report must be named
gl-sast-report.jsonand uploaded as an artifact
sast job will perform an analysis on the running web application, the
resulting JSON file will be uploaded as an artifact, and GitLab will then check
this file and show the information inside the merge request.