Static Application Security Testing with GitLab CI/CD
NOTE: Note: In order to use this tool, a GitLab Enterprise Edition Ultimate license is needed.
This example shows how to run Static Application Security Testing (SAST) on your project's source code by using GitLab CI/CD.
All you need is a GitLab Runner with the Docker executor (the shared Runners on
GitLab.com will work fine). You can then add a new job to
sast: image: registry.gitlab.com/gitlab-org/gl-sast:latest script: - /app/bin/run . artifacts: paths: [gl-sast-report.json]
Behind the scenes, the gl-sast Docker image is used to detect the language/framework and in turn runs the matching scan tool.
The above example will create a
sast job in your CI pipeline and will allow
you to download and analyze the report artifact in JSON format.
The results are sorted by the priority of the vulnerability:
- Everything else
Starting with GitLab Enterprise Edition Ultimate 10.3, this information will
be automatically extracted and shown right in the merge request widget. To do
so, the CI job must be named
sast and the artifact path must be
Learn more on application security testing results shown in merge requests.
Supported languages and frameworks
The following languages and frameworks are supported.
|Language / framework||Scan tool|
|Ruby on Rails||brakeman|