<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Sast on Software Factory</title><link>/tags/sast/</link><description>Recent content in Sast on Software Factory</description><generator>Hugo</generator><language>en</language><atom:link href="/tags/sast/index.xml" rel="self" type="application/rss+xml"/><item><title>Secure</title><link>/use/tools/gitlab/secure/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>/use/tools/gitlab/secure/</guid><description>&lt;p&gt;&lt;img src="../img/gitlab-security-header.png" alt="GitLab secure"&gt;&lt;/p&gt;
&lt;p&gt;GitLab Ultimate embeds a suite of security scanners directly into your CI/CD pipelines.
They cover two complementary approaches: &lt;strong&gt;static analysis&lt;/strong&gt; (source code, dependencies, secrets)
and &lt;strong&gt;dynamic analysis&lt;/strong&gt; (running application).
All results are centralised in a single &lt;a href="/use/tools/gitlab/secure/vulnerability-report/"&gt;vulnerability report&lt;/a&gt;
 within GitLab.&lt;/p&gt;

 &lt;link rel="stylesheet" href="/css/vendors/admonitions.css"&gt;
 &lt;div class="admonition tip"&gt;
 &lt;div class="admonition-header"&gt;&lt;svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512"&gt;&lt;path d="M272 384c9.6-31.9 29.5-59.1 49.2-86.2c0 0 0 0 0 0c5.2-7.1 10.4-14.2 15.4-21.4c19.8-28.5 31.4-63 31.4-100.3C368 78.8 289.2 0 192 0S16 78.8 16 176c0 37.3 11.6 71.9 31.4 100.3c5 7.2 10.2 14.3 15.4 21.4c0 0 0 0 0 0c19.8 27.1 39.7 54.4 49.2 86.2l160 0zM192 512c44.2 0 80-35.8 80-80l0-16-160 0 0 16c0 44.2 35.8 80 80 80zM112 176c0 8.8-7.2 16-16 16s-16-7.2-16-16c0-61.9 50.1-112 112-112c8.8 0 16 7.2 16 16s-7.2 16-16 16c-44.2 0-80 35.8-80 80z"/&gt;&lt;/svg&gt;
 &lt;span&gt;Tip&lt;/span&gt;
 &lt;/div&gt;
 &lt;div class="admonition-content"&gt;
 &lt;p&gt;Not familiar with the terminology?
See &lt;a href="/get-started/glossary/#security"&gt;SAST, DAST, SCA and other security terms&lt;/a&gt;
 in the glossary.&lt;/p&gt;</description></item><item><title>Coverity</title><link>/use/tools/coverity/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>/use/tools/coverity/</guid><description>&lt;div style="display: flex; align-items: flex-start; gap: 1.5rem; margin-bottom: 1rem; max-width: 80%;"&gt;
 &lt;img src="/logo/coverity.svg" alt="Coverity"
 width="150"
 style="flex-shrink: 0;"&gt;
 &lt;div&gt;&lt;a href="https://www.blackduck.com/static-analysis-tools-sast/coverity.html" class="external-link" target="_blank" rel="noopener noreferrer"&gt;Coverity&lt;/a&gt;
 is
&lt;a href="/use/practices/secure/static-application-security-testing/"&gt;SAST&lt;/a&gt;
 tool developed by Synopsys that
detects software defects and security vulnerabilities through deep code analysis.&lt;/div&gt;
&lt;/div&gt;

&lt;link rel="stylesheet" href="/css/vendors/admonitions.css"&gt;
 &lt;div class="admonition info"&gt;
 &lt;div class="admonition-header"&gt;&lt;svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"&gt;&lt;path d="M256 512A256 256 0 1 0 256 0a256 256 0 1 0 0 512zM216 336l24 0 0-64-24 0c-13.3 0-24-10.7-24-24s10.7-24 24-24l48 0c13.3 0 24 10.7 24 24l0 88 8 0c13.3 0 24 10.7 24 24s-10.7 24-24 24l-80 0c-13.3 0-24-10.7-24-24s10.7-24 24-24zm40-208a32 32 0 1 1 0 64 32 32 0 1 1 0-64z"/&gt;&lt;/svg&gt;
 &lt;span&gt;Info&lt;/span&gt;
 &lt;/div&gt;
 &lt;div class="admonition-content"&gt;
 &lt;p&gt;This page describes the tool independently of any platform-specific details.
For the service URL and other platform-specific configuration,
please refer to your &lt;a href="/get-started/platforms/"&gt;platform&amp;rsquo;s dedicated page&lt;/a&gt;
.&lt;/p&gt;</description></item><item><title>Static Application Security Testing (SAST)</title><link>/use/tools/gitlab/secure/sast/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>/use/tools/gitlab/secure/sast/</guid><description>&lt;div style="display: flex; align-items: flex-start; gap: 1.5rem; margin-bottom: 1rem; max-width: 80%;"&gt;
 &lt;img src="/logo/gitlab.svg" alt="GitLab logo"
 width="100"
 style="flex-shrink: 0;"&gt;
 &lt;div&gt;GitLab Ultimate provides a SAST tool already integrated in your development environment.
It helps developers identify security issues in their code during the development process,
allowing them to fix vulnerabilities before they reach production.&lt;/div&gt;
&lt;/div&gt;

&lt;p&gt;The SAST scanner uses analyzers to detect vulnerabilities in source code.
Currently, there are six officially supported analyzers:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;GitLab Advanced Security&lt;/strong&gt;: analyzer designed to discover vulnerabilities by performing
cross-function and cross-file taint analysis&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Semgrep&lt;/strong&gt;: standard static scanner for most programming languages&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Kubesec&lt;/strong&gt;: designed to scan Kubernetes manifests and Helm Charts&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;sobelow&lt;/strong&gt;: designed to scan Elixir applications&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;spotbug&lt;/strong&gt;: designed to scan Java and Groovy applications&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;pmd-apex&lt;/strong&gt;: designed to scan Apex code used in Salesforce applications&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;When the SAST scanner is integrated into your pipeline,
it will select the scanner that best suits your repository.&lt;/p&gt;</description></item></channel></rss>