The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features or functionality remain at the sole discretion of GitLab Inc.
This page combines priorities across the feature categories that Static Analysis maintains. For details on each category, see the category direction pages:
These are primarily feature enhancements, curated by Product Management.
| Name | Overall status | One-month plan | Three-month plan |
|---|---|---|---|
| Improve Advanced SAST performance and stability | In progress | Differential-scanning, multi-threaded engine, incremental scanning | |
| Implement Advanced SAST for C/C++ | Expected by FY26Q4. Beginning technical planning in 17.10. | Create technical plan | |
| Incremental scanning for Advanced SAST (skip unchanged code) | Expected FY26Q2. Reassessing technical plan. | ||
| Reduce false negatives in C# Advanced SAST | Expected FY26Q2. (Primarily Vulnerabilty Research.) | ||
| Real-time IDE SAST scanning: Beta release | Expected FY26Q3 | ||
| Customizable detection logic for Advanced SAST | Expected FY26Q3 | ||
| Real-time IDE SAST scanning: GA release | Expected FY26Q4 | ||
| Duo Vulnerability Resolution: Support resolving cross-file injection vulnerabilities | Expected FY26Q4. Will require coordination with Security Risk Management. |
These are primarily technical tasks, curated by Engineering Management.
| Priority | Name | Target release |
|---|---|---|
| 1 | AST CI-templates improvements | TBD |
| 2 | Static Analysis 18.0 deprecations, removals and breaking changes | 18.0 |
These are proactive documentation-focused tasks, outside of the context of feature or maintenance efforts already tracked elsewhere. Curated by Product Management.
| Name | Overall status | One-month plan | Three-month plan |
|---|---|---|---|
| Provide guidance on how to evaluate GitLab SAST | Initial guide shipped | Implement further edits to the evaluation guide | Publish benchmark/example project guide, based on analysis project listed below |
| Restructure and update Advanced SAST docs now that the feature is GA | In progress. (Primarily documentation.) | Complete most issues in this epic | Complete entire epic |
These are priorities that Static Analysis has, where we believe we would benefit from support from Vulnerability Research. Curated by Product Management and Engineering Management.
| Name | Overall status | One-month plan | Three-month plan |
|---|---|---|---|
| Address false-negative results in C# Advanced SAST coverage | Expected by FY26Q2. | Analyze existing cases; diagnose gaps; analyze and improve source/sink coverage; analyze and improve rule coverage | |
| Update Java rules based on benchmark/example analysis | To be scheduled. Will involve refreshing our ground-truth analysis and implementing rule changes. | ||
| Create Advanced SAST ruleset for C++ | |||
| Expand detection of dangerous query construction without traceable user input | |||
| Implement the next level of documentation for rule/CWE coverage | Assessing implementation options. | Interview internal users and develop technical plan | Ship documentation |
We believe that the world is safer when everyone can contribute to software security. Our customers, and those they serve, are better protected when developers and security professionals can fix potential security risks earlier.
The earliest possible time to catch a security issue is when the code is first written. GitLab sees code very early in the software development lifecycle, since we store production code and also support customer workflows (like merge requests) for pre-production development. So, our group is uniquely positioned to integrate static analysis everywhere as part of a comprehensive DevSecOps platform. We can do what others can't by making security omnipresent, and by supporting collaboration right in the tools that development teams are already using to do their jobs.
Building on those fundamental beliefs, the Static Analysis group's business purpose is to build value for GitLab and our customers…
We are responsible for ensuring that customers can use GitLab Ultimate to:
Our responsibility is for the full customer experience—not just security analyzers or specific software systems we maintain. At times this may mean:
We will do what it takes to deliver these customer results—our customers use the entire product to do their jobs, so it's important that we collaborate effectively with other groups to deliver end-to-end results.
This page is designed to clarify competing priorities between feature categories and provide a high-level summary of the problems the Static Analysis group plans to tackle.
It includes "headline" items that we're planning to work on, and ranks them across the feature categories that Static Analysis maintains.
However, it doesn't:
| Stage | Application Security Testing |
| Content Last Reviewed | 2025-02-18 |