version v7.2.
For up-to-date documentation, see the
latest version.
Static Application Security Testing (SAST)
2 minute read
The SAST scanner uses analyzers to detect vulnerabilities in source code. Currently, there are six officially supported analyzers:
- GitLab Advanced Security: analyzer designed to discover vulnerabilities by performing cross-function and cross-file taint analysis
- Semgrep: standard static scanner for most programming languages
- Kubesec: designed to scan Kubernetes manifests and Helm Charts
- sobelow: designed to scan Elixir applications
- spotbug: designed to scan Java and Groovy applications
- pmd-apex: designed to scan Apex code used in Salesforce applications
When the SAST scanner is integrated into your pipeline, it will select the scanner that best suits your repository.
The Software Factory also offers another advanced SAST tool, Coverity . See the comparison and the use between the two tools (+ SonarQube).
How does it work
SAST scanners are added through your .gitlab-ci.yml file using either a template or component.
You can find more details on How-to enable GitLab SAST
.
During the execution of the pipeline, the SAST scanner will detect your programming language and select the appropriate analyzer to perform the scan.
If you have Kubernetes manifest files in your source code, you can enable the Kubesec analyser or use IaC scanning .
Here the official documentation on this: Static Application Security Testing (SAST) | GitLab .
Advanced SAST Scanner
SAST Scanner is a SAST analyzer which is designed to discover vulnerabilities through cross-function and cross-file taint analysis.
Key advantages of GitLab Advanced SAST include:
- Reduced false positives for more actionable findings
- Customizable rules to fit project and compliance needs
- Seamless GitLab CI/CD integration with quick setup and feedback
The current limitation of Advanced SAST is its narrower language coverage , when compared to GitLab SAST, SonarQube, or Coverity.
- C#
- Go
- Java, including JSP
- JavaScript and TypeScript
- Python
- Ruby