The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features or functionality remain at the sole discretion of GitLab Inc.
Stage | Secure |
Maturity | Complete |
Content Last Reviewed | 2023-08-23 |
This direction page describes GitLab's plans for the SAST category, which checks source code to find possible security vulnerabilities. It helps developers identify weaknesses and security issues earlier in the software development lifecycle before code is deployed. GitLab SAST runs on merge requests and the default branch of your software projects so you can continuously monitor and improve the security of the code you write.
This page is maintained by the Product Manager for Static Analysis, Connor Gilbert.
Everyone can contribute to where GitLab SAST goes next, and we'd love to hear from you. The best ways to participate in the conversation are to:
gitlab-org/gitlab
issue tracker.@gitlab-bot label ~"group::static analysis" ~"Category:SAST"
so your issue lands in our triage workflow.SAST checks source code to find possible security vulnerabilities. It helps developers identify weaknesses and security issues earlier in the software development lifecycle before code is deployed.
SAST does:
SAST doesn't:
Security tools like SAST are best when integrated directly into the DevOps Lifecycle. We believe that every project can benefit from SAST scans, so we include it in Auto DevOps and make SAST scanning available at all GitLab tiers, including Free. Additional features, including proprietary code analysis and integration with GitLab Vulnerability Management, are available only in GitLab Ultimate.
GitLab SAST runs on merge requests and the default branch of your software projects so you can continuously monitor and improve the security of the code you write. SAST jobs run in your CI/CD pipelines alongside existing builds, tests, and deployments, so it's easy for developers to interact with.
While SAST uses sophisticated techniques, we want it to be simple to understand and use day-to-day, especially by developers who may not have specific security expertise. So, when you enable GitLab SAST, it automatically detects the programming languages used in your project and runs the right security analyzers.
We want to give everyone the tools they need to write high-quality code, so basic SAST scans are available in every GitLab tier. However, all organizations that use GitLab SAST in their security programs should use Ultimate. Only GitLab Ultimate includes:
To learn more, check the SAST documentation.
We want to help developers write better code and worry less about common security mistakes. SAST should help prevent security vulnerabilities by helping developers easily identify common security issues as code is being contributed and mitigate proactively. SAST should integrate seamlessly into a developer’s workflow because security tools that are actively used are effective.
The importance of these goals is validated by GitLab's DevSecOps Landscape Survey, which consistently finds that:
GitLab Static Analysis and Vulnerability Research teams are collaborating to address important opportunities to improve the customer experience with SAST. Important themes include:
We expect different parts of these initiatives to deliver value in the short, medium, and long term.
Outside of these proactive priorities, we also react quickly to functional bugs.
In the next 3 months, we are planning to work on:
We are currently working on:
We are also looking forward by investigating approaches to:
Our recent work includes:
Check older release posts for our previous work in this area.
We understand the value of many potential improvements to GitLab SAST, but aren't currently planning to work on the following initiatives: