Skip to content

Static Application Security Testing with GitLab CI/CD

NOTE: Note: In order to use this tool, a GitLab Ultimate license is needed.

This example shows how to run Static Application Security Testing (SAST) on your project's source code by using GitLab CI/CD.

First, you need GitLab Runner with docker-in-docker executor. You can then add a new job to .gitlab-ci.yml, called sast:

before_script:
  - *functions

sast:
  image: registry.gitlab.com/gitlab-org/gl-sast:latest
  script:
    - /app/bin/run .
  artifacts:
    paths: [gl-sast-report.json]

.functions: &functions |
  # Variables and functions

  function setup_docker() {
    if ! docker info &>/dev/null; then
      if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
        export DOCKER_HOST='tcp://localhost:2375'
      fi
    fi
  }

  function sast() {
    case "$CI_SERVER_VERSION" in
      *-ee)
        # Extract "MAJOR.MINOR" from CI_SERVER_VERSION and generate "MAJOR-MINOR-stable"
        SAST_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')

        docker run --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}" \
                   --env SAST_DISABLE_REMOTE_CHECKS="${SAST_DISABLE_REMOTE_CHECKS:-false}" \
                   --volume "$PWD:/code" \
                   --volume /var/run/docker.sock:/var/run/docker.sock \
                   "registry.gitlab.com/gitlab-org/security-products/sast:$SAST_VERSION" /app/bin/run /code
        ;;
      *)
        echo "GitLab Enterprise Edition is required"
        ;;
    esac
  }

The above example will create a sast job in your CI pipeline and will allow you to download and analyze the report artifact in JSON format. Check the Auto-DevOps template for a full reference.

The results are sorted by the priority of the vulnerability:

  1. High
  2. Medium
  3. Low
  4. Unknown
  5. Everything else

Behind the scenes, the GitLab SAST Docker image is used to detect the languages/frameworks and in turn runs the matching scan tools.

Some security scanners require to send a list of project dependencies to GitLab central servers to check for vulnerabilities. To learn more about this or to disable it, check the GitLab SAST tool documentation.

TIP: Tip: Starting with GitLab Ultimate 10.3, this information will be automatically extracted and shown right in the merge request widget. To do so, the CI job must be named sast and the artifact path must be gl-sast-report.json. Learn more on application security testing results shown in merge requests.

Supported languages and frameworks

The following languages and frameworks are supported.

Language / framework Scan tool
JavaScript Retire.js
Python bandit
Ruby bundler-audit
Ruby on Rails brakeman