The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features or functionality remain at the sole discretion of GitLab Inc.
This direction page describes GitLab's plans for the SAST category, which checks source code to find possible security vulnerabilities.
GitLab SAST runs on merge requests and the default branch of your software projects so you can continuously monitor and improve the security of the code you write. SAST jobs run in your CI/CD pipelines alongside existing builds, tests, and deployments, so it's easy for developers to interact with.
While SAST uses sophisticated techniques, we want it to be simple to understand and use day-to-day, especially by developers who may not have specific security expertise. So, when you enable GitLab SAST, it automatically detects the programming languages used in your project and runs the right security analyzers.
While basic SAST scans are available in every GitLab tier, organizations that use GitLab SAST in their security programs should use Ultimate. Only GitLab Ultimate includes:
Our strategy depends on understanding our customers and the broader market.
This section summarizes our plans for specific parts of GitLab SAST.
We are currently working to upgrade more languages to Advanced SAST. We will continue until we have enabled Advanced SAST for all languages that GitLab SAST currently scans using Semgrep-based scanning. See documentation for the current languages Advanced SAST supports.
Status of new languages is tracked in epic 14312. As of 2025-02-06, the status is:
| Language | Expected release | Notes |
|---|---|---|
| PHP | 17.11 (April 2025) | Engine work expected to complete in 17.9. Rule development planned for 17.10 and 17.11. |
| C/C++ | During 2025 | Technical design starting in 17.10. We plan to release iteratively over the course of 2025. |
| Kotlin | Pending | |
| Scala | Pending | |
| iOS (Swift and Objective-C) | Pending |
Advanced SAST will be enabled by default in 18.0; it will take over coverage for the languages it supports at that time.
When we complete this initiative, we will then evaluate the future plans for the Semgrep-based analyzer, because it will serve fewer Ultimate customers over time.
For details on what is not included in this initiative, see What is not planned right now.
GitLab Vulnerability Research analyzes and improves coverage for already-supported languages as part of a continuous program of assessment and improvement. This program includes:
GitLab Static Analysis and Vulnerability Research teams are collaborating to improve the customer experience with SAST.
Our plans align with the themes for the Security use case:
In the next 3 months, we are planning to work on:
| Name | Overall status | One-month plan | Three-month plan |
|---|---|---|---|
| Advanced SAST support for PHP | Expected in FY26Q1. In progress. | Finalize engine support, implement rules | Complete rules; test; identify any additional changes required |
| Duo Vulnerability Resolution: Support new single-file vulnerability types | Expected in FY26Q1. In progress. | Complete evaluation. Begin enabling vuln types that pass the quality standard. | |
| New metrics for SAST adoption | Expected in 17.10. Define technical plan and implement in 17.10. | Implement high-priority missing metrics | |
| Proactive detection accuracy updates for Python, Go, Java | Expected FY26Q1. (Primarily Vulnerabilty Research.) | Ship findings based on analysis of benchmark/example applications | |
| Multi-core Advanced SAST scanning | Expected in FY26Q1. Available as an opt-in. | Enable by default | |
| Improve Advanced SAST performance and stability | Beginning implementation in 17.10. | Begin implementation | Differential-scanning, multi-threaded engine, incremental scanning |
| Enable Advanced SAST by default | Expected in 18.0 (FY26Q2). | Make necessary preparations | Complete transition |
| Implement Advanced SAST for C/C++ | Expected by FY26Q4. Beginning technical planning in 17.10. | Create technical plan | |
| Use Advanced SAST engine and rules for real-time IDE SAST scanning | Expected in FY26Q2. | Use Advanced SAST engine; identify action items from user feedback | Work toward self-managed support; address other user feedback |
After the next 3 months, we plan to work on:
| Name | Overall status |
|---|---|
| Incremental scanning for Advanced SAST (skip unchanged code) | Expected FY26Q2. Reassessing technical plan. |
| Reduce false negatives in C# Advanced SAST | Expected FY26Q2. (Primarily Vulnerabilty Research.) |
| Real-time IDE SAST scanning: Beta release | Expected FY26Q3 |
| Customizable detection logic for Advanced SAST | Expected FY26Q3 |
| Real-time IDE SAST scanning: GA release | Expected FY26Q4 |
| Duo Vulnerability Resolution: Support resolving cross-file injection vulnerabilities | Expected FY26Q4. Will require coordination with Security Risk Management. |
Our recent work includes:
Check older release posts for our previous work in this area.
We understand the value of many potential improvements to GitLab SAST, but aren't currently planning to work on the following initiatives:
You can contribute to where GitLab SAST goes next by:
gitlab-org/gitlab issue tracker.@gitlab-bot label ~"group::static analysis" ~"Category:SAST" so your issue lands in our triage workflow.| Stage | Application Security Testing |
| Content Last Reviewed | 2025-02-18 |