The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features or functionality remain at the sole discretion of GitLab Inc.
Name | Overall status | One-month plan | Three-month plan |
---|---|---|---|
Make GitLab Advanced SAST an opt-in GA feature; add JavaScript support and dataflow UI Tracking issue/epic |
ETA 17.3 | Complete JavaScript rule migration and other GA maturity requirements. Make Advanced SAST available in stable template with opt-in. | See one-month plan |
Ship a data migration to resolve findings from End-of-Support/removed analyzers Tracking issue/epic |
ETA 17.3. In progress. | Complete work; begin executing migration on GitLab.com | See one-month plan |
Real-time SAST scanning in the IDE Tracking issue/epic |
Target October 2024 for MVC. (Not a committed date.) In progress. | Continue prototyping | Deliver MVC |
Make Advanced SAST ready to be on-by-default Tracking issue/epic |
ETA next few months. Starting after opt-in GA release. | Implement finding deduplication and other requirements | |
Expand GitLab Advanced SAST language support Tracking issue/epic |
Releases starting in 17.3, language-by-language. | Finalize TypeScript support; work on C# and PHP | Continue with Ruby, C, and C++ |
Incremental pipeline-based scans (skip unmodified code) Tracking issue/epic |
ETA not yet defined | Identify path forward for storage of cache | Implement cache storage |
Document rule information and CWE coverage Tracking issue/epic |
ETA 17.4 (tentative) | Develop technical plan | Ship documentation |
Name | Status/progress |
---|---|
Support Oxeye integration of dataflow-aware SAST findings Tracking issue/epic |
Implementation in progress |
Analyze onboarding and day-to-day workflows for real-time IDE scanning Tracking issue/epic |
Paused until further development is completed. Will include analyzing how IDE, monolith, and Cloud Connector interact for end-users. |
We believe that the world is safer when everyone can contribute to software security. Our customers, and those they serve, are better protected when developers and security professionals can fix potential security risks earlier.
The earliest possible time to catch a security issue is when the code is first written. GitLab sees code very early in the software development lifecycle, since we store production code and also support customer workflows (like merge requests) for pre-production development. So, our group is uniquely positioned to integrate static analysis everywhere as part of a comprehensive DevSecOps platform. We can do what others can't by making security omnipresent, and by supporting collaboration right in the tools that development teams are already using to do their jobs.
Building on those fundamental beliefs, the Static Analysis group's business purpose is to build value for GitLab and our customers…
We are responsible for ensuring that customers can use GitLab Ultimate to:
Our responsibility is for the full customer experience—not just security analyzers or specific software systems we maintain. At times this may mean:
We will do what it takes to deliver these customer results—our customers use the entire product to do their jobs, so it's important that we collaborate effectively with other groups to deliver end-to-end results.
This page is designed to clarify competing priorities between feature categories and provide a high-level summary of the problems the Static Analysis group plans to tackle.
It includes "headline" items that we're planning to work on, and ranks them across the feature categories that Static Analysis maintains.
However, it doesn't:
Stage | Secure |
Content Last Reviewed | 2024-07-22 |
Content Last Updated | 2023-07-22 |