Published on: October 22, 2024
7 min read
Shorten your mean time to remediation by pairing Advanced SAST and artificial intelligence. This detailed demo shows you how.
With GitLab 17.4, we’ve made GitLab Advanced SAST generally available. GitLab Advanced SAST is a static application security testing scanner designed to discover vulnerabilities by performing cross-function and cross-file taint analysis. By following the paths user inputs take, the analyzer identifies potential points where untrusted data can influence the execution of your application in unsafe ways, ensuring the vulnerabilities are detected even when they span multiple functions and files.
GitLab Advanced SAST can be used together with GitLab Duo Vulnerability Explanation in order to reduce the mean time to remediation (MTTR). GitLab Duo can provide practical, AI-powered examples of how threat actors can exploit vulnerabilities and offer light-weight remediation guidance, which can be used with cross-file analysis to enhance application security (AppSec) efficiency.
This tutorial will show you how to:
Follow the instructions below to enable GitLab Advanced SAST. You can also view this video to get started:
Before using Advanced SAST, the following prerequisites must be met:
To enable the GitLab Advanced SAST scanner:
.gitlab-ci.yml
to include the following:
Jobs/SAST.gitlab-ci.yml
templateGITLAB_ADVANCED_SAST_ENABLED
variable set to trueYour newly merged .gitlab-ci.yml
should contain the following:
stages:
- test
include:
- template: Jobs/SAST.gitlab-ci.yml
variables:
GITLAB_ADVANCED_SAST_ENABLED: 'true'
This will now run the gitlab-advances-sast
job within the test stage of your application along with all the other jobs you have defined. Advanced SAST will replace the semgrep SAST scanner for the supported programming languages.
Note: You can fully configure the job as you would any job in GitLab. For more information, see the CI/CD YAML syntax documentation.
Just like our previous SAST scanner, Advanced SAST allows you to scan source code in the diff of a feature branch. This allows us to address any incoming vulnerabilities before they make it into production. Here we can see the scanner results for the diff within a merge request:
When selecting a newly detected vulnerability, we get the following details to assist with remediation:
Vulnerabilities detected within an MR are actionable, meaning they can be dismissed or an issue can be created and populated with relevant vulnerability information.
Dismissing an issue saves AppSec teams time, because they can see relevant developer information when reviewing an MR. Creating a confidential issue allows developers and AppSec teams to further collaborate on resolving a vulnerability where a fix is not straightforward. Confidential issues have limited permissions and can be used with confidential merge requests to prevent possible malicious actors from exploiting.
To further support separation of duties and prevent vulnerable code from making it into production, you can require approval from certain people (for example, the security team) in order to merge vulnerable code.
Note: Learn more about Security Policies and how to implement them in the Security Policy documentation.
While preventing vulnerabilities from making it into production is crucial for application security, it is equally as important to manage vulnerabilities in production. When security scanners are run on a default or production-level branch, a vulnerability report will be populated with the latest vulnerability data which can be used to triage and manage vulnerabilities.
When selecting a vulnerability you get similar vulnerability details as seen in a merge request, making for a single source of truth for developers and AppSec teams.
AppSec teams can triage a vulnerability by changing its status and adding relevant details on the status change. Issues can be created to track the progress of a fix. From here, a developer can be assigned.
For vulnerabilities detected with Advanced SAST, we can see a "Code flow" tab on the Vulnerability page.
In this example, you can see that a vulnerability is traced across multiple functions, giving deeper insight into the best practices we should put in place to not only resolve the vulnerability, but prevent similar vulnerabilities in the future.
GitLab Duo can help you mitigate or remediate a vulnerability by using a large language model to:
To use Vulnerability Explanation, the following is required:
From the vulnerability report, you can select a SAST vulnerability and go to its Vulnerability page. From the Vulnerability page, you can do any of the following to explain the vulnerability:
/vulnerability_explain
.Then the vulnerable code will be processed by Anthropic’s Claude 3 Haiku model and provide the following data:
Now, let's put it all together with a concrete example. I will use the OWASP Juice Shop as my demo application and run GitLab Advanced SAST to detect a vulnerability in production. Then I will use the vulnerability code flow and GitLab Duo to investigate vulnerability exploitation, and remediation. You can follow along with this demo and see this workflow in action by watching:
The detection and remediation workflow is as follows:
Basket.ts
.Note: There are many ways to triage and remediate vulnerabilities, make sure to follow best practices set by your organization.
To learn more about GitLab and how you can get started with enhancing your organization’s application security posture, check out the following resources.