What does GitLab use for SAST?

GitLab uses a variety of open-source and proprietary analyzers to perform Static Application Security Testing (SAST) within its pipelines. These analyzers are integrated into the CI/CD process and are designed to scan code for vulnerabilities at an early stage of development.

GitLab’s SAST supports a wide range of programming languages, including Java, JavaScript, Python, Go, Ruby, and more. The testing includes analyzers like Bandit, Brakeman, ESLint, SpotBugs, and Gosec, among others. These tools automatically scan the source code for security flaws such as SQL injection, cross-site scripting (XSS), and other common vulnerabilities.

To implement SAST in GitLab, developers can enable Auto DevOps or manually include SAST jobs in the .gitlab-ci.yml file. The results are then displayed in GitLab’s security dashboard, allowing developers to identify and remediate security issues directly within the development lifecycle.