Static application security testing with GitLab CI/CD
NOTE: Note: In order to use this tool, a GitLab Enterprise Edition Ultimate license is needed.
This example shows how to run Static Application Security Testing (SAST) on your project's source code by using GitLab CI/CD.
All you need is a GitLab Runner with the Docker executor (the shared Runners on
GitLab.com will work fine). You can then add a new job to .gitlab-ci.yml
,
called sast
:
sast:
image: registry.gitlab.com/gitlab-org/gl-sast:latest
script:
- /app/bin/run .
artifacts:
paths: [gl-sast-report.json]
Behind the scenes, the gl-sast Docker image is used to detect the language/framework and in turn runs the matching scan tool.
The above example will create a sast
job in your CI pipeline and will allow
you to download and analyze the report artifact in JSON format.
The results are sorted by the priority of the vulnerability:
- High
- Medium
- Low
- Unknown
- Everything else
TIP: Tip:
Starting with GitLab Enterprise Edition Ultimate 10.3, this information will
be automatically extracted and shown right in the merge request widget. To do
so, the CI job must be named sast
and the artifact path must be
gl-sast-report.json
.
Learn more on application security testing results shown in merge requests.
Supported languages and frameworks
The following languages and frameworks are supported.
Language / framework | Scan tool |
---|---|
JavaScript | Retire.js |
Python | bandit |
Ruby | bundler-audit |
Ruby on Rails | brakeman |