The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features or functionality remain at the sole discretion of GitLab Inc.
This direction page describes GitLab's plans for the SAST category, which checks source code to find possible security vulnerabilities.
GitLab SAST runs on merge requests and the default branch of your software projects so you can continuously monitor and improve the security of the code you write. SAST jobs run in your CI/CD pipelines alongside existing builds, tests, and deployments, so it's easy for developers to interact with.
While SAST uses sophisticated techniques, we want it to be simple to understand and use day-to-day, especially by developers who may not have specific security expertise. So, when you enable GitLab SAST, it automatically detects the programming languages used in your project and runs the right security analyzers.
While basic SAST scans are available in every GitLab tier, organizations that use GitLab SAST in their security programs should use Ultimate. Only GitLab Ultimate includes:
Our strategy depends on understanding our customers and the broader market.
This section summarizes our plans for specific parts of GitLab SAST.
We are currently working to upgrade more languages to Advanced SAST. We will continue until we have enabled Advanced SAST for all languages that GitLab SAST currently scans using Semgrep-based scanning. See documentation for the current languages Advanced SAST supports.
Status of new languages is tracked in epic 14312. As of 2025-02-06, the status is:
Language | Expected release | Notes |
---|---|---|
PHP | 17.11 (April 2025) | Engine work expected to complete in 17.9. Rule development planned for 17.10 and 17.11. |
C/C++ | During 2025 | Technical design starting in 17.10. We plan to release iteratively over the course of 2025. |
Kotlin | Pending | |
Scala | Pending | |
iOS (Swift and Objective-C) | Pending |
Advanced SAST will be enabled by default in 18.0; it will take over coverage for the languages it supports at that time.
When we complete this initiative, we will then evaluate the future plans for the Semgrep-based analyzer, because it will serve fewer Ultimate customers over time.
For details on what is not included in this initiative, see What is not planned right now.
GitLab Vulnerability Research analyzes and improves coverage for already-supported languages as part of a continuous program of assessment and improvement. This program includes:
GitLab Static Analysis and Vulnerability Research teams are collaborating to improve the customer experience with SAST.
Our plans align with the themes for the Security use case:
In the next 3 months, we are planning to work on:
Name | Overall status | One-month plan | Three-month plan |
---|---|---|---|
Advanced SAST support for PHP | Expected in FY26Q1. In progress. | Finalize engine support, implement rules | Complete rules; test; identify any additional changes required |
Duo Vulnerability Resolution: Support new single-file vulnerability types | Expected in FY26Q1. In progress. | Complete evaluation. Begin enabling vuln types that pass the quality standard. | |
New metrics for SAST adoption | Expected in 17.10. Define technical plan and implement in 17.10. | Implement high-priority missing metrics | |
Proactive detection accuracy updates for Python, Go, Java | Expected FY26Q1. (Primarily Vulnerabilty Research.) | Ship findings based on analysis of benchmark/example applications | |
Multi-core Advanced SAST scanning | Expected in FY26Q1. Available as an opt-in. | Enable by default | |
Improve Advanced SAST performance and stability | Beginning implementation in 17.10. | Begin implementation | Differential-scanning, multi-threaded engine, incremental scanning |
Enable Advanced SAST by default | Expected in 18.0 (FY26Q2). | Make necessary preparations | Complete transition |
Implement Advanced SAST for C/C++ | Expected by FY26Q4. Beginning technical planning in 17.10. | Create technical plan | |
Use Advanced SAST engine and rules for real-time IDE SAST scanning | Expected in FY26Q2. | Use Advanced SAST engine; identify action items from user feedback | Work toward self-managed support; address other user feedback |
After the next 3 months, we plan to work on:
Name | Overall status |
---|---|
Incremental scanning for Advanced SAST (skip unchanged code) | Expected FY26Q2. Reassessing technical plan. |
Reduce false negatives in C# Advanced SAST | Expected FY26Q2. (Primarily Vulnerabilty Research.) |
Real-time IDE SAST scanning: Beta release | Expected FY26Q3 |
Customizable detection logic for Advanced SAST | Expected FY26Q3 |
Real-time IDE SAST scanning: GA release | Expected FY26Q4 |
Duo Vulnerability Resolution: Support resolving cross-file injection vulnerabilities | Expected FY26Q4. Will require coordination with Security Risk Management. |
Our recent work includes:
Check older release posts for our previous work in this area.
We understand the value of many potential improvements to GitLab SAST, but aren't currently planning to work on the following initiatives:
You can contribute to where GitLab SAST goes next by:
gitlab-org/gitlab
issue tracker.@gitlab-bot label ~"group::static analysis" ~"Category:SAST"
so your issue lands in our triage workflow.Stage | Application Security Testing |
Content Last Reviewed | 2025-02-18 |
When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.
Cookie Policy
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, enabling you to securely log into the site, filling in forms, or using the customer checkout. GitLab processes any personal data collected through these cookies on the basis of our legitimate interest.
These cookies enable helpful but non-essential website functions that improve your website experience. By recognizing you when you return to our website, they may, for example, allow us to personalize our content for you or remember your preferences. If you do not allow these cookies then some or all of these services may not function properly. GitLab processes any personal data collected through these cookies on the basis of your consent
These cookies allow us and our third-party service providers to recognize and count the number of visitors on our websites and to see how visitors move around our websites when they are using it. This helps us improve our products and ensures that users can easily find what they need on our websites. These cookies usually generate aggregate statistics that are not associated with an individual. To the extent any personal data is collected through these cookies, GitLab processes that data on the basis of your consent.
These cookies enable different advertising related functions. They may allow us to record information about your visit to our websites, such as pages visited, links followed, and videos viewed so we can make our websites and the advertising displayed on it more relevant to your interests. They may be set through our website by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant advertisements on other websites. GitLab processes any personal data collected through these cookies on the basis of your consent.