The site that you are currently viewing is a static version of the Software Factory documentation delivered with the

version v7.2.
For up-to-date documentation, see the latest version.

Static Application Security Testing (SAST)

Identify source code vulnerabilities with GitLab SAST analyzers
GitLab logo
GitLab Ultimate provides a SAST tool already integrated in your development environment. It helps developers identify security issues in their code during the development process, allowing them to fix vulnerabilities before they reach production.

The SAST scanner uses analyzers to detect vulnerabilities in source code. Currently, there are six officially supported analyzers:

  • GitLab Advanced Security: analyzer designed to discover vulnerabilities by performing cross-function and cross-file taint analysis
  • Semgrep: standard static scanner for most programming languages
  • Kubesec: designed to scan Kubernetes manifests and Helm Charts
  • sobelow: designed to scan Elixir applications
  • spotbug: designed to scan Java and Groovy applications
  • pmd-apex: designed to scan Apex code used in Salesforce applications

When the SAST scanner is integrated into your pipeline, it will select the scanner that best suits your repository.

Tip

The Software Factory also offers another advanced SAST tool, Coverity . See the comparison and the use between the two tools (+ SonarQube).

How does it work

SAST scanners are added through your .gitlab-ci.yml file using either a template or component. You can find more details on How-to enable GitLab SAST .

During the execution of the pipeline, the SAST scanner will detect your programming language and select the appropriate analyzer to perform the scan.

Tip

If you have Kubernetes manifest files in your source code, you can enable the Kubesec analyser or use IaC scanning .

Here the official documentation on this: Static Application Security Testing (SAST) | GitLab .

Advanced SAST Scanner

SAST Scanner is a SAST analyzer which is designed to discover vulnerabilities through cross-function and cross-file taint analysis.

Key advantages of GitLab Advanced SAST include:

  • Reduced false positives for more actionable findings
  • Customizable rules to fit project and compliance needs
  • Seamless GitLab CI/CD integration with quick setup and feedback

The current limitation of Advanced SAST is its narrower language coverage , when compared to GitLab SAST, SonarQube, or Coverity.

  • C#
  • Go
  • Java, including JSP
  • JavaScript and TypeScript
  • Python
  • Ruby