SAST scanning runs in your CI/CD pipeline. When you add the GitLab-managed CI/CD template to your pipeline, the right SAST analyzers automatically scan your code and save results as SAST report artifacts. To configure SAST for a project you can: Use Auto SAST, provided by Auto DevOps. Configure SAST in your CI/CD YAML. Configure SAST by using ...

The vulnerability report provides a consolidated view of security vulnerabilities found in your codebase. Sort vulnerabilities by severity, report type, scanner (for projects only), and other attributes to determine which issues need attention first.

Security testing often involves multiple Static Application Security Testing (SAST) tools, each specialized in detecting specific vulnerabilities, such as hardcoded passwords or insecure data flows. A heterogeneous SAST setup, using multiple …

The report is a JSON document that combines vulnerabilities with possible remediations. This documentation gives an overview of the report JSON format, recommendations, and examples to help integrators set its fields. The format is extensively described in the documentation of SAST, DAST, Dependency Scanning, and Container Scanning

artifacts:reports:sast. The sast report collects SAST vulnerabilities. The collected SAST report uploads to GitLab as an artifact. For more information, see: View SAST results; SAST output; artifacts:reports:secret_detection. The secret-detection report collects detected secrets. The collected Secret Detection report is uploaded to GitLab.

GitLab SAST analyzers are released as container images. If you’re seeing a new error that doesn’t appear to be related to the GitLab-managed SAST CI/CD template or changes in your own project, you can try pinning the affected analyzer to a specific older version.

Static Application Security Testing (SAST) uses analyzers to detect vulnerabilities in source code. Each analyzer is a wrapper around a scanner, a third-party code analysis tool. The analyzers are published as Docker images that SAST uses to launch dedicated containers for each analysis.

The vulnerability must be a SAST finding from a supported analyzer: Any GitLab-supported analyzer . A properly integrated third-party SAST scanner that reports the vulnerability location and a CWE Identifier for each vulnerability.

Post analyzers enrich the report output by an analyzer. A post analyzer doesn’t modify report content directly. Instead, it enhances the results with additional properties, including: CWEs. Location tracking fields. Transition to Semgrep-based scanning

The IaC scanner outputs a JSON report file in the existing SAST report format. For more information, see the schema for this report. The JSON report file can be downloaded from: The CI pipelines page. The pipelines tab on merge requests by setting artifacts: paths to gl-sast-report.json. For more information see Downloading artifacts ...