Static application security testing (SAST) checks source code to find possible security vulnerabilities. SAST helps developers identify weaknesses and security issues earlier in the software development lifecycle, before code is deployed. SAST usually is performed when code is being submitted to a code repository. Think of it as a spell checker for security issues.
SAST is performed on source code or binary files and thus usually wont require code to be compiled, built, or deployed. However, this means that SAST cannot detect runtime or environment issues. SAST can analyze the control flow, the abstract syntax tree, how functions are invoked, and if there are information leaks in order to detect weak points that may lead to unintended behaviors.
Just like spell checkers, SAST analyzers are language and syntax specific and can only identify known classes of issues. SAST does not replace code reviewers, instead, it augments them, and provides another line of proactive defense against common and known classes of security issues. SAST is specifically about identifying potential security issues, so it should not be mistaken for Code Quality.
Overall we want to help developers write better code and worry less about common security mistakes. SAST should help prevent security vulnerabilities by helping developers easily identify common security issues as code is being contributed and mitigate proactively. SAST should integrate seamlessly into a developer’s workflow because security tools that are actively used are effective.
We also want to make SAST complexity totally transparent to users. GitLab is able to automatically detect the programming language and to run the proper analyzer. We want to increase language coverage by including support for the most common languages.
Language priorities (in addition to our existing language support)
User success metrics
The following measures would help us know which area of SAST on which to focus:
The SAST Category Maturity level is currently at
Viable. We plan to mature it to
Complete by January 2021.
For the next few releases we are currently focused on cleaning up the state of our current scanners and improving support for additional configurations. We also want to bring our SAST scanners down to Core to make them available to the most people as part of our community stewardship commitment.
Why is this important?
GitLab needs at least a minimum level of coverage in the SAST feature set to check the box for compliance and buyer personas. But further SAST has a very real impact to help the world write better code. If Gitlab provides a basic level of SAST to all repositories on Gitlab, we can meaningfully help protect against the simplest of code security issues. That encourages Gitlab to be the source of security information for repositories. It also provides opportunities to show the breadth of GitLab's feature set, and how that enables more complete and holistic DevOps processes.
Gitlab uniquely has opportunities within the entire devops process. We can integrate across different devops stages leveraging data, insight, and functionality from other steps to enrich and automate based on SAST findings. We might in fact allow integration with competitors to ensure Gitlab controls the devops process, regardless of the specific SAST solution a team chooses, or that fits their unique needs. This centers GitLab as the system of control and allows people to extend and integrate other solutions into the GitLab Devops workflow.
There are many well-known commercial products that are providing SAST. Most of them support multiple languages, and are integrated into the development lifecycle.
Here are some vendors providing SAST tools:
GitLab has the unique position to deeply integrate into the development lifecycle, with the ability to leverage CI/CD pipelines to perform the security tests. There is no need to connect the remote source code repository, or to use a different interface.
We can improve the experience even more, by supporting additional features that are currently present in other tools.
We want to engage analysts to make them aware of the security features already available in GitLab. They also perform analysis of vendors in the space and have an eye on the future. We will blend analyst insights with what we hear from our customers, prospects, and the larger market as a whole to ensure we’re adapting as the landscape evolves.