Delivering faster and smarter scans with Advanced SAST

Static application security testing (SAST) is critical to building secure software, helping teams identify vulnerabilities in code before they can be exploited. Last year, with GitLab 17.4, we launched Advanced SAST to deliver higher-quality scan results directly in developer workflows. Since then, Advanced SAST has powered millions of scans across over a hundred thousand codebases, reducing risk and helping customers build more secure applications from the start.

We’re building on that foundation with a set of performance enhancements designed to improve accuracy and speed, so developers get results they can trust, without losing their flow. New capabilities include better out-of-the-box precision, the ability to add custom detection rules, and a trio of improvements to accelerate scan times through multi-core scanning, algorithmic optimizations, and diff-based scanning. Together, these improvements make Advanced SAST smarter and faster, delivering security that’s developer-friendly by design.

SAST adoption hinges on both accuracy and speed

Most SAST programs rarely fail due to inaccurate vulnerability detection; they fail because developers don’t adopt security tooling. Too often, AppSec solutions like SAST deliver accuracy at the expense of the developer experience, or developer experience at the expense of accuracy. In reality, both are necessary. Without accuracy, developers don’t trust the results; without speed and usability, adoption lags.

When both come together, security fits naturally into the development process — and that’s the only way security teams successfully drive SAST adoption at scale. This philosophy guides the GitLab roadmap for Advanced SAST.

Add custom detection rules for greater accuracy

The built-in Advanced SAST rules are informed by our in-house security research team, designed to maximize accuracy out of the box. Until now, you could disable rules or adjust their name, description, or severity, but you couldn’t add new detection logic. With GitLab 18.5, teams can now define their own custom, pattern-based rules to catch organization-specific issues — like flagging banned function calls — while still using GitLab’s curated ruleset as the baseline. Any violations of custom rules are reported in the same place as built-in GitLab rules, so developers can glean information from a single dashboard.

Custom rules are effective at catching straightforward issues that matter to your organization, but they don’t influence the taint analysis that Advanced SAST uses to catch injections and similar flaws. Customizations are managed through simple TOML files, just like other SAST ruleset configurations. The result is higher-quality scan results tuned to your context, giving security teams more control and developers clearer, more actionable findings.

Faster scans to get developers in the flow

Speed matters. If a SAST scan takes too long, developers often switch to another task, so adoption suffers.

That’s why we’ve invested in several performance-based enhancements to dramatically reduce scan times without compromising on accuracy, including:

• Multi-core scanning: Leverages multiple CPU cores on GitLab Runners
• Diff-based scanning: Scans only the unchanged code in a merge request
• Ongoing optimizations: Smarter algorithms and engine enhancements

These improvements build on each other, delivering faster scans with significant impact:

• Multi-core scanning typically reduces scan runtime by up to 50%.
• Diff-based scanning helps the most in large repositories, where less code is modified in each change. It’s specifically designed to give faster feedback in the code review process by delivering faster scans in merge requests. In our testing, many large repositories now take less than 10 minutes to return results in MRs, where previously scans took more than 20 minutes.
• In recent internal testing, algorithmic optimizations cut scan times by up to 71% on large open-source codebases, with Apache Lucene (Java) showing the biggest improvement. Other projects, including Django (Python), Kafka, and Zulip, also saw performance boosts of over 50% in single-core mode. You can see the results for yourself below.

For developers, these improvements mean quicker feedback in merge requests, less waiting on security results, and a smoother path to adoption. And with multi-core scanning and diff-based analysis layered on top, the gains will be even greater.

These performance gains reflect GitLab’s broader focus on improving the developer experience across our platform. For example, one of our customers recently transitioned to GitLab’s Pipeline Execution Policies (PEP) to gain greater control and flexibility over how security scans run within their pipelines. By standardizing templates, adding caching, and optimizing pipeline logic, their teams cut dependency scan runtimes from 15–60 minutes down to just 1–2 minutes per job — saving roughly 100,000 compute minutes every day across 15,000 scans. It’s a clear example of how more customizable and efficient pipeline execution policies lead to faster feedback loops, higher productivity, and broader adoption.

With these latest enhancements, Advanced SAST gives security and development teams the accuracy, speed, and flexibility they need to keep up with modern software development. By reducing false positives, enabling custom detection, and accelerating scan times, we’re making security an enabler — not a blocker — for developers.

Like all of GitLab’s application security capabilities, Advanced SAST is built directly into our DevSecOps platform, making security a natural part of how developers build, test, deploy, and secure software.

The result: faster adoption, fewer bottlenecks, and more secure applications delivered from the start.

Get started with Advanced SAST today! Sign up for a free trial of GitLab Ultimate.

Learn more

• GitLab Advanced SAST is now generally available
• A comprehensive guide to GitLab DAST
• GitLab Security Testing solutions