Static Application Security Testing (SAST) [ULTIMATE]
If you are using GitLab CI/CD, you can analyze your source code for known vulnerabilities using Static Application Security Testing (SAST).
Going a step further, GitLab can show the vulnerability list right in the merge request widget area.
- Your application is using an external (open source) library, locked to a
specific version (e.g., via
Gemfile.lock) and the version is known to be vulnerable.
- Your code has a potentially dangerous attribute in a class, or unsafe code that can lead to unintended code execution.
Supported languages and frameworks
The following languages and frameworks are supported.
|Language / framework||Scan tool|
|Ruby on Rails||brakeman|
|Groovy (Gradle & Grail)||find-sec-bugs|
|Java (Maven & Gradle)||find-sec-bugs|
|.NET||Security Code Scan|
How it works
First of all, you need to define a job in your
.gitlab-ci.yml file that generates the
SAST report artifact.
For more information on how the SAST job should look like, check the
example on Static Application Security Testing with GitLab CI/CD.
GitLab then checks this report, compares the found vulnerabilities between the source and target branches, and shows the information right on the merge request.
Security report under pipelines
Visit any pipeline page which has a
sast job and you will be able to see
the security report tab with the listed vulnerabilities (if any).