The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features or functionality remain at the sole discretion of GitLab Inc.
| Stage | Application Security Testing |
| Maturity | Viable |
| Content Last Reviewed | 2024-12-17 |
This direction page describes GitLab's plans for the SAST category, which checks source code to find possible security vulnerabilities.
This page is maintained by the Product Manager for Static Analysis, Connor Gilbert.
Everyone can contribute to where GitLab SAST goes next, and we'd love to hear from you. The best ways to participate in the conversation are to:
gitlab-org/gitlab issue tracker.@gitlab-bot label ~"group::static analysis" ~"Category:SAST" so your issue lands in our triage workflow.GitLab SAST runs on merge requests and the default branch of your software projects so you can continuously monitor and improve the security of the code you write. SAST jobs run in your CI/CD pipelines alongside existing builds, tests, and deployments, so it's easy for developers to interact with.
While SAST uses sophisticated techniques, we want it to be simple to understand and use day-to-day, especially by developers who may not have specific security expertise. So, when you enable GitLab SAST, it automatically detects the programming languages used in your project and runs the right security analyzers.
While basic SAST scans are available in every GitLab tier, organizations that use GitLab SAST in their security programs should use Ultimate. Only GitLab Ultimate includes:
Our strategy depends on understanding our customers and the broader market.
This section summarizes our plans for specific parts of GitLab SAST.
We are currently working to upgrade additional languages to Advanced SAST. We will continue until we have enabled Advanced SAST for all languages that GitLab SAST currently scans using Semgrep-based scanning, though we may pause language expansion in particular development milestones to focus on other features or further improvements to already-supported languages.
The status of this initiative, and the priority order between languages, is tracked in epic 14312.
We intend to enable Advanced SAST by default in 18.0; it will take over coverage for the languages it supports at that time. When we complete this initiative, we will then evaluate the future plans for the Semgrep-based analyzer, because it will serve fewer Ultimate customers over time.
We are not currently:
For details, see What is not planned right now.
GitLab Vulnerability Research analyzes and improves coverage for already-supported languages as part of a continuous program of assessment and improvement. This program includes:
GitLab Static Analysis and Vulnerability Research teams are collaborating to improve the customer experience with SAST.
Our plans align with the themes for the Security use case:
In the next 3 months, we are planning to work on:
| Name | Overall status | One-month plan | Three-month plan |
|---|---|---|---|
| Add new code-flow UI to explain Advanced SAST results Tracking issue/epic |
Shipped in the vuln report, MR widget, and pipeline security report. Expected completion in 17.7. | Complete implementation in MR changes view; address UX issues. (Development work is being handled by the Security Platform Management group.) | |
| Real-time SAST scanning in the IDE: initial release Tracking issue/epic |
Expecting 17.6 (November 2024) for Experiment release on GitLab.com. | Deliver Experiment release | Move on to post-initial-release improvements, as listed below |
| Provide guidance on how to evaluate GitLab SAST Tracking issue/epic |
Initial guide shipped | Implement further edits to the evaluation guide | Publish benchmark/example project guide, based on analysis project listed below |
| Restructure and update Advanced SAST docs now that the feature is GA Tracking issue/epic |
In progress. (Primarily documentation.) | Complete most issues in this epic | Complete entire epic |
| Advanced SAST engine maintenance, testing, and stability improvements Tracking issue/epic |
High-priority items preparing for release | Implement improvements | |
| Analyze Advanced SAST performance against standard benchmarks Tracking issue/epic |
Analysis and rule updates in progress. (Handled primarily by Vulnerability Research.) | Continue analysis and rule updates | Complete work; use results to update documentation |
| Implement the next level of documentation for rule/CWE coverage Tracking issue/epic |
Assessing implementation options. (Handled primarily by Vulnerability Research.) | Interview internal users and develop technical plan | Ship documentation |
| Enable Advanced SAST for PHP Tracking issue/epic |
Ready to begin implementation after a pause. ETA TBD. | Finalize engine support, migrate/implement rules | |
| Expand coverage for Vulnerability Resolution to more CWE types Tracking issue/epic |
Finalize technical plan. Complete prerequisite changes so that we can test new feature iterations. | Begin executing the technical plan. | |
| Expand real-time SAST in the IDE Tracking issue/epic |
Will beging after the initial Experiment release | Respond to feedback and next steps after the initial Experiment release | Work toward self-managed support; improve user-perceived latency |
After the next 3 months, we plan to work on:
| Name | Overall status |
|---|---|
| Implement Advanced SAST for C/C++ Tracking issue/epic |
|
| Incremental pipeline-based scans (skip unmodified code) Tracking issue/epic |
Currently blocked by database decomposition |
| Enable Advanced SAST for additional languages Tracking issue/epic |
Waiting for other languages, as listed above. See epic for language priority order. |
| Reshape SAST customization; allow org-specific Advanced SAST Tracking issue/epic |
Analyzing customer use cases to develop requirements |
| Enable Advanced SAST by default Tracking issue/epic |
Likely to occur in GitLab 18.0 due to breaking-change requirements. |
| Make SAST results easier to understand and triage Tracking issue/epic |
Coordinating with Security Risk Management stage for scheduling |
Our recent work includes:
Check older release posts for our previous work in this area.
We understand the value of many potential improvements to GitLab SAST, but aren't currently planning to work on the following initiatives: