Category Direction - Static Application Security Testing (SAST)

1. You are here:
2. GitLab Direction
3. Product Stage Direction - Application Security Testing
4. Static Analysis group priorities
5. Category Direction - Static Application Security Testing (SAST)

• Overview
• Strategy and themes
  • Specific product areas
    • Language support
    • Detection accuracy
    • Advanced SAST scan times
• 1 year plan
  • What is next for us
• What we recently completed
• What is not planned right now
• Get involved
• Page updates

This direction page describes GitLab's plans for the SAST category, which checks source code to find possible security vulnerabilities.

Overview

GitLab SAST runs on merge requests and the default branch of your software projects so you can continuously monitor and improve the security of the code you write. SAST jobs run in your CI/CD pipelines alongside existing builds, tests, and deployments, so it's easy for developers to interact with.

While SAST uses sophisticated techniques, we want it to be simple to understand and use day-to-day, especially by developers who may not have specific security expertise. So, when you enable GitLab SAST, it automatically detects the programming languages used in your project and runs the right security analyzers.

While basic SAST scans are available in every GitLab tier, organizations that use GitLab SAST in their security programs should use Ultimate. Only GitLab Ultimate includes:

• Advanced SAST: proprietary scanning technology that delivers higher-quality results.
• Advanced Vulnerability Tracking: proprietary technology that keeps track of vulnerabilities as they move around a codebase.
• Workflows: SAST results integrated into the merge request workflow.
• Related security and compliance features: Vulnerability Management, Security Policies, and other capabilities that help you enforce security requirements.

Strategy and themes

Our strategy depends on understanding our customers and the broader market.

Specific product areas

This section summarizes our plans for specific parts of GitLab SAST.

Language support

We are currently working to upgrade more languages to Advanced SAST. We will continue until we have enabled Advanced SAST for all languages that GitLab SAST currently scans using Semgrep-based scanning. See documentation for the current languages Advanced SAST supports.

Status of new languages is tracked in epic 14312. As of 2025-06-19, the status is:

Language	Expected release	Notes
C/C++	During 2025	In progress. We plan to release iteratively over the course of 2025.
Kotlin	Pending
Scala	Pending
iOS (Swift and Objective-C)	Pending

When you enable Advanced SAST, it takes over coverage for the languages it supports.

We plan to enable Advanced SAST by default for SAST users in 19.0.

When we complete this initiative, we will then evaluate the future plans for the Semgrep-based analyzer, because it will serve fewer Ultimate customers over time.

For details on what is not included in this initiative, see What is not planned right now.

Detection accuracy

GitLab Vulnerability Research analyzes and improves coverage for already-supported languages as part of a continuous program of assessment and improvement. This program includes:

• In-house security research.
• Proactive assessments of real-world codebases and benchmark/example projects.
• Reacting to feedback from customers and from internal users within GitLab.
• Identifying opportunities to improve the Advanced SAST engine to enable new detection techniques.

Advanced SAST scan times

GitLab SAST is designed to run in merge requests and on the default branch of your repository, so we know how important it is to get results quickly.

In most cases, Advanced SAST returns results within a few minutes. However, because Advanced SAST scans your program in detail, large repositories can sometimes take longer to scan.

As part of our ongoing maintenance of the Advanced SAST engine, we have already:

• Updated many components of the Advanced SAST engine to improve scan performance.
• Implemented multi-core scanning to better utilize available Runner resources. (See documentation.)
• Documented steps you can take to improve performance, and how to collect data if you reach out for support.

Looking forward, we plan to:

• Continue to routinely identify, schedule, and implement improvements to the Advanced SAST engine.
  • Note: Because every codebase is different, it's difficult to predict whether any given change will improve performance for a specific codebase.
• Implement incremental scanning to reduce the amount of processing the engine has to complete.
  • In progress: Faster Advanced SAST: Diff-based scanning in MRs.
  • Future: Incremental scanning for Advanced SAST (skip unchanged code). We are currently identifying the schedule for this work.
• Explore multi-threaded scanning as a further iteration on existing multi-core scanning.

Many of these work items are tracked in the epic for Advanced SAST performance and scalability. Note that we use confidential issues for some tasks, so you won't see every issue that we've implemented or that we have planned.

If you have concerns about Advanced SAST scan times in your repositories, see the troubleshooting guide for slow scans.

1 year plan

GitLab Static Analysis and Vulnerability Research teams are collaborating to improve the customer experience with SAST.

Our plans align with the themes for the Security use case:

1. Detection accuracy: Security professionals and developers should be able to trust every result from GitLab SAST. This work improves the user experience directly, but also indirectly by reducing the number of times users have to go through other workflows.
2. Shift left security: GitLab SAST already scans code as soon as it's pushed, before code reviews even begin. But, we can make it easier to improve security by scanning code even earlier, including before code leaves developer machines.
3. Faster remediation: We value our users' time, and we know that vulnerabilities are resolved more often if they're easier to understand and interact with.

What is next for us

In the next 3 months, we are planning to work on:

Name	Overall status	One-month plan	Three-month plan
Faster Advanced SAST: Diff-based scanning in MRs	In progress	Complete backend changes	Complete frontend changes and fully ship the feature
Implement Advanced SAST for C/C++	Full delivery expected by FY26Q4, with Experiment and Beta releases earlier	Release Experiment and update plan for Beta

After the next 3 months, we plan to work on:

Name	Overall status
Reduce false negatives in C# Advanced SAST	Expected FY26Q2. (Primarily Vulnerabilty Research.)
Customizable detection logic for Advanced SAST	Expected FY26Q3
Real-time IDE SAST scanning: Beta release	Expected FY26Q4
Incremental scanning for Advanced SAST (skip unchanged code)	Assessing technical plan and delivery estimate.
Real-time IDE SAST scanning: GA release	Expected FY27Q1

What we recently completed

Our recent work includes:

• PHP support for Advanced SAST.
• Expanded CWE support in GitLab Duo Vulnerability Resolution.
• Significantly improved detection accuracy in Python, Go, and Java.
• Multi-core Advanced SAST scanning.

Check older release posts for our previous work in this area.

What is not planned right now

We understand the value of many potential improvements to GitLab SAST, but aren't currently planning to work on the following initiatives:

• Expanding language support: Currently, we're focusing on delivering better-quality results, faster, for the many languages and frameworks we already support. We're not actively adding adding support for new languages. However, if we don't support a language you use, you can:
  • Integrate third-party tools (open-source or proprietary) using our documented, open report format.
  • Document your request by opening an issue or commenting on an existing issue in epic 297.
• More analyzer consolidations: We are not currently focusing on consolidating more analyzers into Semgrep-based scanning with GitLab-managed rules.
  • We recently completed work to consolidate scanning coverage from many language-specific scanners to Semgrep-based scanning. This provides a simpler, more consistent operational experience; allows GitLab to directly manage rules; and makes scans run faster.
  • We released these changes as part of GitLab 17.0, GitLab 16.0, and GitLab 15.4.
  • The remaining analyzers cover less-commonly-used languages that we cannot immediately convert due to technical limitations.

Get involved

You can contribute to where GitLab SAST goes next by:

• Commenting or contributing to existing SAST issues in the public gitlab-org/gitlab issue tracker.
• If you don't see an issue that matches, filing a new issue.
  • Post a comment that says @gitlab-bot label ~"group::static analysis" ~"Category:SAST" so your issue lands in our triage workflow.
• If you're a GitLab customer, contacting Support or discussing your needs with your account team.

Page updates

Stage	Application Security Testing
Content Last Reviewed	2025-06-19