Static Application Security Testing (SAST) checks source code to find possible security vulnerabilities. SAST helps developers identify weaknesses and security issues earlier in the software development lifecycle before code is deployed. SAST usually is performed when code is being submitted to a code repository. Think of it like spell check for security issues.
SAST is performed on source code or binary files and thus usually won't require code to be compiled, built, or deployed. However, this means that SAST cannot detect runtime or environment issues. SAST can analyze the control flow, the abstract syntax tree, how functions are invoked, and if there are information leaks to detect weak points that may lead to unintended behaviors.
Just like spell checkers, SAST analyzers are language and syntax specific and can only identify known classes of issues. SAST does not replace code reviewers, instead, it augments them, and provides another line of proactive defense against common and known classes of security issues. SAST is specifically about identifying potential security issues, so it should not be mistaken for Code Quality.
Security tools like SAST are best when integrated directly into the Devops Lifecycle and every project can benefit from SAST scans, which is why we include it in Auto DevOps.
GitLab was recently named as a Niche player in the 2020 Gartner Quadrant for Application Security Testing.
Watch recent GitLab Kickoffs covering Static Analysis direction updates:
Overall we want to help developers write better code and worry less about common security mistakes. SAST should help prevent security vulnerabilities by helping developers easily identify common security issues as code is being contributed and mitigate proactively. SAST should integrate seamlessly into a developer’s workflow because security tools that are actively used are effective.
The importance of these goals is validated by GitLab's 2020 DevSecOps Landscape Survey. With 3,650 respondents from 21 countries, the survey found:
“GitLab Secure enables us to ship faster. Our other scanner tools could take up to a day to finish scanning whereas Secure scans finish as little a few minutes” - Healthcare services organization, GitLab Ultimate Customer
We want to make SAST easy to set up and use, making complexity transparent to users where possible. GitLab can automatically detect the programming language of a project and run the appropriate analyzer. We support a variety of popular languages and frameworks.
We want to increase language coverage by including support for the most common languages. We look at a variety of sources to determine language priorities including industry trends, projects hosted on GitLab, as well as analyst reports (italics below indicate languages called out specifically in analyst reports).
Language priorities (in addition to our existing language support):
If we don't support a language you use, you can request support by commenting on this epic with details.
We are also working on a generic language-agnostic scanning approach. While currently experimental, generic scanning presents many opportunities to move faster and put more focus on the security rulesets rather than the implementation of those rules in various scanners. This will be a strategic focus for GitLab SAST leading into 2021.
User success metrics At GitLab, we collect product usage data to help us build a better product. You can see growth of GitLab SAST on our performance indicators dashboard.
The following metrics are also of interest as they help us know which area of SAST on which to focus:
The SAST Category Maturity level is currently at Viable. We plan to mature it to Complete by mid 2021.
With all of our open-source based SAST scanners now available in core for all GitLab users, we are focused on increasing usability for non-ultimate customers. We're improving the MR Security widget experience and adding a SAST configuration tool for core users. We are also working on stability and support focused on more advanced codebases like monorepo and multi-product git projects. As part of these stability improvements, we are also looking to simplify some of the fundamental technical architecture of our product as we look towards the 14.0 release in May 2021 and will be making some deprecations and removals.
We also are continuing our efforts with our generic language-agnostic scanning approach. This will bring improvements to our vulnerability detection engine and help reduce false positives as well as provide developers increased context for taking action to remediate SAST findings. These efforts will set us up to rapidly iterate in this space in early 2021.
Why is this important?
In 2020, GitLab greatly expanded access to SAST to all our customers including our free tier users. Looking forward to 2021, we want GitLab SAST to be industry-leading with high-signal findings and low false-positive rates. SAST has a very real impact to help the world write better code. With wide accessibility to SAST and high-quality security data built directly into the DevSecOps workflow. GitLab will be able to leverage the context of not just repository source code, but also how projects are built, deployed, and changes over time. We'll be able to further integrate all of our application tools to make them smarter, more accurate, and more automated.
“GitLab Secure allowed us to consolidate spend with centralized tools enabling a more streamlined workflow for our developers” - Retail product research organization, GitLab Ultimate Customer
Differentiation
Gitlab uniquely has opportunities within the entire DevOps lifecycle. We can integrate across different DevSecOps stages leveraging data, insight, and functionality from other steps to enrich and automate based on SAST findings. We even allow integration with partners and competitors to ensure flexibility. This allows teams to choose specific SAST solutions that fit their unique needs without GitLab being a constraint. This centers GitLab as the system of control and allows people to extend and integrate other solutions into the GitLab DevSecOps workflow.
View the full changelog of SAST features
Many well-known commercial products provide SAST solutions. Most of them support multiple languages and provide limited integration into the development lifecycle.
Competitors are focused on a few areas:
Here are some vendors providing SAST tools:
GitLab has a unique position to deeply integrate into the development lifecycle, with the ability to leverage CI/CD pipelines to perform the security tests. There is no need to connect the remote source code repository, or to use a different interface. GitLab is consistently now having enterprise customers replacing traditional Security scanning tools in favor of GitLab's fully integrated Security Scanning tools:
“GitLab Secure replaced Veracode, Checkmarx, and Fortify in my DevOps toolchain. Secure scans faster, more accurate, and doesn’t require my developers to learn new tools” - Financial services organization, GitLab Gold Customer
We can improve the experience even further by supporting additional features that are currently present in other tools.
We want to engage analysts to make them aware of the security features already available in GitLab. They also perform analysis of vendors in the space and have an eye on the future. We will blend analyst insights with what we hear from our customers, prospects, and the larger market as a whole to ensure we’re adapting as the landscape evolves.
Last Reviewed: 2020-12-03
Last Updated: 2020-12-03
