The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features or functionality remain at the sole discretion of GitLab Inc.
Static Application Security Testing (SAST) checks source code to find possible security vulnerabilities. It helps developers identify weaknesses and security issues earlier in the software development lifecycle before code is deployed. GitLab SAST runs on merge requests and the default branch of your software projects so you can continuously monitor and improve the security of the code you write.
SAST does:
SAST doesn't:
Security tools like SAST are best when integrated directly into the DevOps Lifecycle. We believe that every project can benefit from SAST scans, so we include it in Auto DevOps and make SAST scanning available at all GitLab tiers, including Free. Additional features, including proprietary code analysis and integration with GitLab Vulnerability Management, are available only in GitLab Ultimate.
GitLab was recently named as a Challenger in the 2021 Magic Quadrant for Application Security Testing and a Contender in Forrester's 2021 SAST Wave.
“GitLab Secure allowed us to consolidate spend with centralized tools enabling a more streamlined workflow for our developers” - Retail product research organization, GitLab Ultimate Customer
We want to help developers write better code and worry less about common security mistakes. SAST should help prevent security vulnerabilities by helping developers easily identify common security issues as code is being contributed and mitigate proactively. SAST should integrate seamlessly into a developer’s workflow because security tools that are actively used are effective.
The importance of these goals is validated by GitLab's 2020 DevSecOps Landscape Survey. With 3,650 respondents from 21 countries, the survey found:
“GitLab Secure enables us to ship faster. Our other scanner tools could take up to a day to finish scanning whereas Secure scans finish as little a few minutes” - Healthcare services organization, GitLab Ultimate Customer
We are currently investing in various areas of GitLab SAST. We expect different parts of these initiatives to deliver value in the short, medium, and long term.
The SAST Category Maturity level is currently at Complete. We plan to mature it to Lovable by late 2023.
We want to make SAST easy to set up and use. While SAST uses sophisticated techniques, we want it to be simple to understand and use day-to-day, especially by developers who may not have specific security expertise. Today, GitLab SAST automatically detects the programming languages used in your project and runs the right analyzer.
Currently, we're focusing on making it easier and faster to use SAST on the many languages and frameworks we already support, rather than adding support for new languages. However, if we don't support a language you use, you can request support by opening an issue in this epic with details.
When we decide where to invest resources toward new languages or maintenance of existing languages, we look at a variety of sources, including:
We are also working on a next generation language-agnostic scanning approach. This CI/CD-focused scanning approach presents many opportunities to move faster and put more focus on the security rulesets rather than the implementation of those rules in various scanners. This is a strategic focus for GitLab SAST.
User success metrics
At GitLab, we collect product usage data to help us build a better product. You can see growth of GitLab SAST on our performance indicators dashboard.
The following metrics are also of interest as they help us know which area of SAST on which to focus:
GitLab SAST historically has been powered by over a dozen open-source static analysis security analyzers. These analyzers have proactively identified millions of vulnerabilities for GitLab users, but each of these analyzers is language-specific and uses a different scanning approach.
We are currently streamlining the set of SAST analyzers to provide:
The GitLab Static Analysis and Vulnerability Research teams have worked together to transition coverage from a number of existing open-source analyzers to Semgrep-based scanning. We plan to continue to migrate existing scanner coverage to Semgrep-based scanning.
Semgrep-based scanning in GitLab SAST includes:
While we work on Semgrep-based scanning, we're also continuing our efforts toward our next-generation scanning approach. This will enhance our vulnerability detection engine, improve our vulnerability fingerprinting and tracking accuracy features, and help reduce false positives as we work to provide developers increased context to remediate SAST findings.
This next-generation SAST scanner is a proprietary tool built on research by our Vulnerability Research Team. The scanner's advanced approach allows it to analyze data and control flow to understand how logic and data flow through source code to identify vulnerabilities.
We are initially using this tool to improve accuracy and reduce false positives by double-checking findings from other SAST analyzers. Later, we plan to replace some of the other analyzers with the next-gen scanner. And, ultimately, we hope to use the data it provides to build features that underscore the value of building workflows inside The One DevOps Platform.
We want to make it easier for merge request authors and code reviewers to spot possible security issues.
To do this, we plan to show SAST findings in the MR changes view. We're approaching this problem by:
This will complement our existing MR security widget and make it easier for developers to see vulnerabilities in files they're working on inline, just like in their IDEs.
While we're working on these larger initiatives, we aren't losing sight of usability and other concerns.
We're investing in improvements that will help:
View the full list of announced SAST features.
Many well-known commercial products provide SAST solutions. Most of them support multiple languages and provide limited integration into the development lifecycle.
Competitors are focused on a few areas:
Here are some vendors providing SAST tools:
GitLab has a unique position to deeply integrate into the development lifecycle, with the ability to leverage CI/CD pipelines to perform the security tests. There is no need to connect the remote source code repository, or to use a different interface. GitLab is consistently now having enterprise customers replacing traditional Security scanning tools in favor of GitLab's fully integrated Security Scanning tools:
“GitLab Secure replaced Veracode, Checkmarx, and Fortify in my DevOps toolchain. Secure scans faster, more accurate, and doesn’t require my developers to learn new tools” - Financial services organization, GitLab Gold Customer
We even allow integration with partners and competitors to ensure flexibility. This allows teams to choose specific SAST solutions that fit their unique needs without GitLab being a constraint. This centers GitLab as the system of control and allows people to extend and integrate other solutions into the GitLab DevSecOps workflow.
We can improve the experience even further by supporting additional features that are currently present in other tools.
We want to engage analysts to make them aware of the security features already available in GitLab. They also perform analysis of vendors in the space and have an eye on the future. We will blend analyst insights with what we hear from our customers, prospects, and the larger market as a whole to ensure we’re adapting as the landscape evolves.
Last Reviewed: 2022-10-07
Last Updated: 2022-10-07